Abstract
In 2005 and 2006, two security researchers, Maximilian Dornseif and Adam Boileau, showed an offensive use of the FireWire bus. They demonstrated how to take control of a computer equipped with a FireWire port. This work has been continued. After a brief summary of how memory works on modern OS, we will explain how the FireWire bus works, and it can be used to access physical memory. Since modern operating system and processors use virtual addresses (and not physical ones), we rebuild the virtual space of each process in order to retrieve and understand kernel structures. Thus, we now have an instant view of the operating system without being submitted to the security protections provided by the processor or the kernel. We will demonstrate several uses for this. First we will show what can be done only with an interpretation of kernel structures (read access). For example, we can have the list of all processes, access to the registry with no control even for protected keys like the SAM ones. This is used to dump credentials. Then, we see what can be done when one modifies the memory (write access). As an example, we show a 2 byte patch to unlock a workstation without knowing the password. Last but not least, code execution is not supposed to happen through FireWire since it is only a bus providing read/write access to the memory. However, slightly modifying the running kernel lets us do whatever we want. We will explain how to have a shell with SYSTEM privileges before any authentication.
Similar content being viewed by others
References
Barbosa, E.: Find some Non-Exported Kernel Variables in Windows xp. http://www.rootkit.com/newsread.php?newsid=101
Boileau, A.: Hit by a Bus: Physical Access Attacks with Firewire (2006). http://www.security-assessment.com/files/presentations/ab_firewire_rux2 k6-final.pdf
Bugcheck, Skape: Kernel-Mode Payloads on Windows (2005). http://www.uninformed.org/?v=3&a=4&t=pdf
clark@hushmail.com.: Security Accounts Manager (2005). http://www.beginningtoseethelight.org/ntsecurity/index.php
Dornseif, M.: All Your Memory are Belong to Us (2005). http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf
ionescu007.: Getting Kernel Variables from KdVersionBlock, Part2. http://www.rootkit.com/newsread.php?newsid=153
Jack, B.: Remote windows Kernel Exploitation Step into the Ring 0 (2005). http://research.eeye.com/html/papers/download/StepIntoTheRing.pdf
Schuster, A.: Searching for Processes and Threads in Microsoft Windows Memory Dumps (2006). http://dfrws.org/2006/proceedings/2-Schuster-pres.pdf
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Aumaitre, D. A little journey inside Windows memory. J Comput Virol 5, 105–117 (2009). https://doi.org/10.1007/s11416-008-0112-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-008-0112-2