[Vol-users] 29c3 defeating windows memory forensics

Luka Milkovic milkovic.luka at gmail.com
Wed Jan 9 13:49:55 CST 2013


Hi George,


On Wed, Jan 9, 2013 at 6:29 PM, George M. Garner Jr.
<ggarner_online at gmgsystemsinc.com> wrote:

>
> Moonsols Community Edition appears to support a "/s" option which will
> generate a cryptographic checksum which may be compared to the actual
> checksum of the output file.  While it is true, as you say, that
> cryptographic checksums will not detect tampering which occurred prior to
> the checksum's creation, adding the "/s" option should detect all of the
> kernel mode attacks which you document.  It will force you to attack along
> the read path (NtMapViewOfSection, MmMapIoSpace and MmMapMemoryDumpMdl) or
> else to fake both the content and the checksum. I am assuming that Matthieu
> is generating the checksum before writing the data to disk and not from the
> output file after it has been written.  +1 for Matthieu (maybe).

Unfortunately, that's not the case:(
The reason is that the checksum is calculated on the buffer *after* it
has been written to the file (basically the next call after
ZwWriteFile).
When Dementia is used, checksum of the dump created by win32dd equals
to the one printed out in the console.

Matthieu, what do you think about making the checksum before writing
the buffer to dump?

Cheers,
Luka


More information about the Vol-users mailing list