[Vol-users] 29c3 defeating windows memory forensics
George M. Garner Jr.
ggarner_online at gmgsystemsinc.com
Mon Jan 7 09:20:48 CST 2013
On 1/7/2013 10:15 AM, Matthieu Suiche wrote:> win32dd/win64dd has an
option (/d) to generate Microsoft Crash Dumps
> without using the crashdump! or KeBugCheck() functions.
Yes, but how does the change in format alter the function of Luka's
NtWriteFile hook, except to give him less information to scrub? Of
course you could roll your own IRP_MJ_WRITE and bypass NtWriteFile. But
then Luka could use his file system filter driver, or ask Peter
Kleissner for a copy of the open source Stoned bootkit and adapt his
lower disk/ACPI/ATAPI filter driver for the task.
The format of the output isn't the problem.
More information about the Vol-users