[Vol-users] 29c3 defeating windows memory forensics

Matthieu Suiche msuiche at gmail.com
Mon Jan 7 09:29:14 CST 2013


I thought Luka was pointing out the Microsoft crash dump format because
it's easier to analyze with WinDbg etc. Not for acquisition reason, if it's
for acquisition reason that's exactly the same. That's why one of the
reason Microsoft is encouraging people to use 64-bits, even though of
course PatchGuard can still be bypassed. No security mechanism is perfect.
That's the cat and mouse game we all know very well. :)

On Mon, Jan 7, 2013 at 3:20 PM, George M. Garner Jr. <
ggarner_online at gmgsystemsinc.com> wrote:

> Bonjour Matthieu!
>
> On 1/7/2013 10:15 AM, Matthieu Suiche wrote:> win32dd/win64dd has an
> option (/d) to generate Microsoft Crash Dumps
>
> > without using the crashdump! or KeBugCheck() functions.
> >
>
> Yes, but how does the change in format alter the function of Luka's
> NtWriteFile hook, except to give him less information to scrub?  Of course
> you could roll your own IRP_MJ_WRITE and bypass NtWriteFile.  But then Luka
> could use his file system filter driver, or ask Peter Kleissner for a copy
> of the open source Stoned bootkit and adapt his lower disk/ACPI/ATAPI
> filter driver for the task.
>
> The format of the output isn't the problem.
>
> Regards,
>
> George.
>
> ______________________________**_________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lists.volatilityfoundation.org/mailman/listinfo/vol-users>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130107/3b1f5d54/attachment.html


More information about the Vol-users mailing list