Skip to main content
SpringerLink
Log in

A little journey inside Windows memory

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

In 2005 and 2006, two security researchers, Maximilian Dornseif and Adam Boileau, showed an offensive use of the FireWire bus. They demonstrated how to take control of a computer equipped with a FireWire port. This work has been continued. After a brief summary of how memory works on modern OS, we will explain how the FireWire bus works, and it can be used to access physical memory. Since modern operating system and processors use virtual addresses (and not physical ones), we rebuild the virtual space of each process in order to retrieve and understand kernel structures. Thus, we now have an instant view of the operating system without being submitted to the security protections provided by the processor or the kernel. We will demonstrate several uses for this. First we will show what can be done only with an interpretation of kernel structures (read access). For example, we can have the list of all processes, access to the registry with no control even for protected keys like the SAM ones. This is used to dump credentials. Then, we see what can be done when one modifies the memory (write access). As an example, we show a 2 byte patch to unlock a workstation without knowing the password. Last but not least, code execution is not supposed to happen through FireWire since it is only a bus providing read/write access to the memory. However, slightly modifying the running kernel lets us do whatever we want. We will explain how to have a shell with SYSTEM privileges before any authentication.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Barbosa, E.: Find some Non-Exported Kernel Variables in Windows xp. http://www.rootkit.com/newsread.php?newsid=101

  2. Boileau, A.: Hit by a Bus: Physical Access Attacks with Firewire (2006). http://www.security-assessment.com/files/presentations/ab_firewire_rux2 k6-final.pdf

  3. Bugcheck, Skape: Kernel-Mode Payloads on Windows (2005). http://www.uninformed.org/?v=3&a=4&t=pdf

  4. clark@hushmail.com.: Security Accounts Manager (2005). http://www.beginningtoseethelight.org/ntsecurity/index.php

  5. Dornseif, M.: All Your Memory are Belong to Us (2005). http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf

  6. ionescu007.: Getting Kernel Variables from KdVersionBlock, Part2. http://www.rootkit.com/newsread.php?newsid=153

  7. Jack, B.: Remote windows Kernel Exploitation Step into the Ring 0 (2005). http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf

  8. Schuster, A.: Searching for Processes and Threads in Microsoft Windows Memory Dumps (2006). http://dfrws.org/2006/proceedings/2-Schuster-pres.pdf

Download references

Author information

Authors and Affiliations

  1. Sogeti/ESEC, Paris, France

    Damien Aumaitre

Authors
  1. Damien Aumaitre
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Damien Aumaitre.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Aumaitre, D. A little journey inside Windows memory. J Comput Virol 5, 105–117 (2009). https://doi.org/10.1007/s11416-008-0112-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0112-2

Keywords

Search

Navigation