[Vol-users] 29c3 defeating windows memory forensics

George M. Garner Jr. ggarner_online at gmgsystemsinc.com
Mon Jan 7 09:20:48 CST 2013


Bonjour Matthieu!

On 1/7/2013 10:15 AM, Matthieu Suiche wrote:> win32dd/win64dd has an 
option (/d) to generate Microsoft Crash Dumps
 > without using the crashdump! or KeBugCheck() functions.
 >

Yes, but how does the change in format alter the function of Luka's 
NtWriteFile hook, except to give him less information to scrub?  Of 
course you could roll your own IRP_MJ_WRITE and bypass NtWriteFile.  But 
then Luka could use his file system filter driver, or ask Peter 
Kleissner for a copy of the open source Stoned bootkit and adapt his 
lower disk/ACPI/ATAPI filter driver for the task.

The format of the output isn't the problem.

Regards,

George.


More information about the Vol-users mailing list