[Vol-users] 29c3 defeating windows memory forensics

George M. Garner Jr. ggarner_online at gmgsystemsinc.com
Mon Jan 7 09:20:48 CST 2013

Bonjour Matthieu!

On 1/7/2013 10:15 AM, Matthieu Suiche wrote:> win32dd/win64dd has an 
option (/d) to generate Microsoft Crash Dumps
 > without using the crashdump! or KeBugCheck() functions.

Yes, but how does the change in format alter the function of Luka's 
NtWriteFile hook, except to give him less information to scrub?  Of 
course you could roll your own IRP_MJ_WRITE and bypass NtWriteFile.  But 
then Luka could use his file system filter driver, or ask Peter 
Kleissner for a copy of the open source Stoned bootkit and adapt his 
lower disk/ACPI/ATAPI filter driver for the task.

The format of the output isn't the problem.



More information about the Vol-users mailing list