Read pysical memory

> So, could they be using “memory mirroring” feature?

No, memory mirroring requires custom HAL support and specialized
hardware.

I wouldn’t be surprised if at least some of them used
Device\PhysicalMemory. Maybe they don’t know about the risks,
or maybe they think that a 1% (or whatever it is) chance of hanging
or crashing the system is acceptable for their purposes. They will
have to reset the system at some point anyways so they can analyze
the disk off-line.

–
Pavel Lebedinsky/Windows Fundamentals Test
This posting is provided “AS IS” with no warranties, and confers no rights.

May be my lack of language skills caused you to misinterpret what i said. I
did not mean (say) that I am not cared about the “content”. I said I am not
cared about the “consistency”, because this is practically impossible on a
“running” system.

Fascinating. Earlier you said you didn’t care about the contents of the
memory, now you say you’re going to use the contents for computer
forensics in order to prove someone committed a crime. Well, I think this
thread will be more than enough to convince the jury of “reasonable doubt”
in your company’s techniques, don’t you think?

Happy New Year 2010

My Idea is to image the physical memory, then corelate it with the contents
of “pagefile.sys” available in the disk. Not sure about the success of this,
as the first step, thought of finding the way to image the physical memory.

Thanks Maxim S. Shatskih,
Lloyd

Yes.

Reading arbitrary physical memory is useless, since you don’t know for
what purpose this page was allocated by the MM.

Happy New Year 2010

There are situations where investigators have solid evidence from data
available in the disk, but the culprit states he did not commit crime but
some unknown software (malware) running in the system. I this scenario, the
live system data will be useful for the investigators as well as for the
culprit to prove their side

Thanks,
Lloyd

Doesn’t matter to “Lloyd”, he just wants to read a bunch of crap out of
someone’s RAM and look for phrases like “I am a rapist” or similar,
doesn’t matter who said it, or when or why, like if it was just a rant on
a message board…

Happy New Year 2010

If you hibernated the computer, that should place all of memory in the
hiberfile. Would that not make more sense? You would have to take that
hard drive and mount it via a forensics certified device to another
computer, but it might work much better than trying to flail about in
physical memory that you don’t own or control.

“Lloyd” wrote in message news:xxxxx@ntdev…
> My Idea is to image the physical memory, then corelate it with the
> contents of “pagefile.sys” available in the disk. Not sure about the
> success of this, as the first step, thought of finding the way to image
> the physical memory.
>
> Thanks Maxim S. Shatskih,
> Lloyd
>
>
>> Yes.
>>
>> Reading arbitrary physical memory is useless, since you don’t know for
>> what purpose this page was allocated by the MM.
>>
>
>
>
> ___________________
> Happy New Year 2010
>

Have you considered simply forcing a dump, or hibernate and then analyze the
pagefile? Anything you do in a running system could possibly be used to
create doubt.

Hmmm … I can hear it now … the Twinkie defense for a computer.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Lloyd
Sent: Sunday, January 10, 2010 10:47 PM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Re:Re:Read pysical memory

My Idea is to image the physical memory, then corelate it with the contents
of “pagefile.sys” available in the disk. Not sure about the success of this,

as the first step, thought of finding the way to image the physical memory.

Thanks Maxim S. Shatskih,
Lloyd

Yes.

Reading arbitrary physical memory is useless, since you don’t know for
what purpose this page was allocated by the MM.

Happy New Year 2010

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 4759 (20100110) __________

The message was checked by ESET Smart Security.

http://www.eset.com

__________ Information from ESET Smart Security, version of virus signature
database 4759 (20100110) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Lloyd wrote:

As an evidence we need to image the memory.

On 1/10/2010 7:01 PM, xxxxx@gmail.com wrote:

Fascinating. Earlier you said you didn’t care about the contents of
the memory, now you say you’re going to use the contents for computer
forensics in order to prove someone committed a crime. […]

OP said he does not care about consistency of the memory contents.

For forensics analysis it is probably acceptable to have some buffers
reflected in a transient state.

Using VT techniques - as mentioned - is probably a better idea anyway.
Then OPs software can (hopefully) at least *detect* if a rootkit already
virtualized the PC and is emulating “clean” memory.

How about using a hardware interface (FireWire?) to externally read out
the memory? Would that work?

“David Craig” wrote in message news:xxxxx@ntdev…
> If you hibernated the computer, that should place all of memory in the
> hiberfile. Would that not make more sense? You would have to take that
> hard drive and mount it via a forensics certified device to another
> computer, but it might work much better than trying to flail about in
> physical memory that you don’t own or control.

Hibernation is not always enabled.

And by the way, these “forensic” tricks are also exploitable
by malware that scans memory for various encryption keys
– pa

> “Lloyd” wrote in message news:xxxxx@ntdev…
>> My Idea is to image the physical memory, then corelate it with the
>> contents of “pagefile.sys” available in the disk. Not sure about the
>> success of this, as the first step, thought of finding the way to image
>> the physical memory.
>>
>> Thanks Maxim S. Shatskih,
>> Lloyd
>>
>>
>>> Yes.
>>>
>>> Reading arbitrary physical memory is useless, since you don’t know for
>>> what purpose this page was allocated by the MM.
>>>

>>There are situations where investigators have solid evidence from data available in the disk, but the culprit states he did not commit crime but some unknown software (malware) running in the system. …

Any reasons why culprit can not say that the modification in memory is also done by some software.

Additionally what specific root-kit you are targeting. I recently worked on one such solution and they are a lot sophisticated now days. Out of all one which hooks the disk port driver is stealthiest root-kit which we noticed.

We worked on rootkits hiding their process, driver or service binaries, rootkits doing DKOM, creating variety of hooks at different level but I am not able to figure out what this physical to pagefile comparison will provide you?

your objective may fetch some alternate answers for the specific problem.

Thanks
Aditya

> I wouldn’t be surprised if at least some of them used

Device\PhysicalMemory.

And here’s an example of this:

http://msuiche.net/con/shakacon2009/NFI-Shakacon-win32dd0.3.pdf

(Note that the MmMapIoSpace method mentioned in the PDF suffers
from the same problem with regard to cache attributes).

–
Pavel Lebedinsky/Windows Fundamentals Test
This posting is provided “AS IS” with no warranties, and confers no rights.

in the forensics scenario, persumably the cops are in possession of
the computer and can enable anything they want to enable in order to
compel the computer to testify. For example one could simply enable
debug mode, enable full system dumps, and then use the debugger to
crash dump the system and then preruse the output from that offline.

Mark Roddy

On Mon, Jan 11, 2010 at 5:29 AM, Pavel A. wrote:
> “David Craig” wrote in message news:xxxxx@ntdev…
>>
>> If you hibernated the computer, that should place all of memory in the
>> hiberfile. ?Would that not make more sense? ?You would have to take that
>> hard drive and mount it via a forensics certified device to another
>> computer, but it might work much better than trying to flail about in
>> physical memory that you don’t own or control.
>
> Hibernation is not always enabled.
>
> And by the way, these “forensic” tricks are also exploitable
> by ?malware that scans memory for various encryption keys
> – pa
>
>> “Lloyd” wrote in message news:xxxxx@ntdev…
>>>
>>> My Idea is to image the physical memory, then corelate it with the
>>> contents of “pagefile.sys” available in the disk. Not sure about the success
>>> of this, as the first step, thought of finding the way to image the physical
>>> memory.
>>>
>>> Thanks Maxim S. Shatskih,
>>> ?Lloyd
>>>
>>>
>>>> Yes.
>>>>
>>>> Reading arbitrary physical memory is useless, since you don’t know for
>>>> what purpose this page was allocated by the MM.
>>>>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I think Windows will not enable hibernate or page file size changes in the
current boot. Of course lawyers will scream tampering if any change is made
to the OS before a snapshot. If you want the in-memory image, it might not
be possible to get one at the place the computer is confiscated.

“Mark Roddy” wrote in message news:xxxxx@ntdev…
in the forensics scenario, persumably the cops are in possession of
the computer and can enable anything they want to enable in order to
compel the computer to testify. For example one could simply enable
debug mode, enable full system dumps, and then use the debugger to
crash dump the system and then preruse the output from that offline.

Mark Roddy

On Mon, Jan 11, 2010 at 5:29 AM, Pavel A. wrote:
> “David Craig” wrote in message
> news:xxxxx@ntdev…
>>
>> If you hibernated the computer, that should place all of memory in the
>> hiberfile. Would that not make more sense? You would have to take that
>> hard drive and mount it via a forensics certified device to another
>> computer, but it might work much better than trying to flail about in
>> physical memory that you don’t own or control.
>
> Hibernation is not always enabled.
>
> And by the way, these “forensic” tricks are also exploitable
> by malware that scans memory for various encryption keys
> – pa
>
>> “Lloyd” wrote in message news:xxxxx@ntdev…
>>>
>>> My Idea is to image the physical memory, then corelate it with the
>>> contents of “pagefile.sys” available in the disk. Not sure about the
>>> success
>>> of this, as the first step, thought of finding the way to image the
>>> physical
>>> memory.
>>>
>>> Thanks Maxim S. Shatskih,
>>> Lloyd
>>>
>>>
>>>> Yes.
>>>>
>>>> Reading arbitrary physical memory is useless, since you don’t know for
>>>> what purpose this page was allocated by the MM.
>>>>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

We are not targetting any specific rootkits/malware. This comes in the later
part - The analysis. Yes, may be a runnig rootkit can divert the “memory
imaging”. At the time of imaging, we wont look for modification in the
kernel data structures. During the analysis, I hope we would be able to
identify the modificaitions in the kernel data structures.

Any reasons why culprit can not say that the modification in memory is
also done by some software.

Additionally what specific root-kit you are targeting. I recently worked
on one such solution and they are a lot sophisticated now days. Out of all
one which hooks the disk port driver is stealthiest root-kit which we
noticed.

We worked on rootkits hiding their process, driver or service binaries,
rootkits doing DKOM, creating variety of hooks at different level but I am
not able to figure out what this physical to pagefile comparison will
provide you?

your objective may fetch some alternate answers for the specific problem.

Thanks
Aditya

Scanned and protected by Email scanner

Is it possible to freeze the system from scheduling other jobs, that is
making the kernel to run “only” the necessary kernel related routine, then
the imaging software (ie. to take control of the job scheduler). As other
user process are in blocked state, there wont be a “page attribute” change
problem.

Thanks again,
Lloyd

----- Original Message -----
From: “David Craig”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Tuesday, January 12, 2010 10:31 AM
Subject: Re:[ntdev] Re:Re:Re:Read pysical memory

>I think Windows will not enable hibernate or page file size changes in the
>current boot. Of course lawyers will scream tampering if any change is
>made to the OS before a snapshot. If you want the in-memory image, it
>might not be possible to get one at the place the computer is confiscated.
>
>

______________________________________
Scanned and protected by Email scanner

>

Is it possible to freeze the system from scheduling other jobs, that
is
making the kernel to run “only” the necessary kernel related routine,
then
the imaging software (ie. to take control of the job scheduler). As
other
user process are in blocked state, there wont be a “page attribute”
change
problem.

If you make sure every CPU in the system is running at DISPATCH_LEVEL
then you can guarantee that nothing at PASSIVE_LEVEL will be running.
You can even spin all CPU’s at HIGH_LEVEL, but only for a very short
amount of time, as that blocks IPI_LEVEL activity and windows will BSoD.

If your malware is smart though, it will page itself out while you do
this

James

Note that the recommended approach, should you absolutely require an all-processors corral barrier, is to use KeIpiGenericCall. Attempting to “roll your own” with DPCs is fraught with subtle and difficult-to-catch (or debug) deadlocks (consider the scenario of multiple callers attempting to enter N distinct “home-brewed” processor corral barriers simultaneously without coordination).

That being said, what the prior poster asked for is certainly not a recommended course of action.

• S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of James Harper
Sent: Monday, January 11, 2010 10:24 PM
To: Windows System Software Devs Interest List
Subject: RE: Re:[ntdev] Re:Re:Re:Read pysical memory

Is it possible to freeze the system from scheduling other jobs, that
is
making the kernel to run “only” the necessary kernel related routine,
then
the imaging software (ie. to take control of the job scheduler). As
other
user process are in blocked state, there wont be a “page attribute”
change
problem.

If you make sure every CPU in the system is running at DISPATCH_LEVEL
then you can guarantee that nothing at PASSIVE_LEVEL will be running.
You can even spin all CPU’s at HIGH_LEVEL, but only for a very short
amount of time, as that blocks IPI_LEVEL activity and windows will BSoD.

If your malware is smart though, it will page itself out while you do
this

James

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

>

Note that the recommended approach, should you absolutely require an
all-
processors corral barrier, is to use KeIpiGenericCall. Attempting to
“roll
your own” with DPCs is fraught with subtle and difficult-to-catch (or
debug)
deadlocks (consider the scenario of multiple callers attempting to
enter N
distinct “home-brewed” processor corral barriers simultaneously
without
coordination).

KeIpiGenericCall
Versions: Available on Microsoft Windows Server 2003 and later operating
systems.

That being said, what the prior poster asked for is certainly not a
recommended course of action.

I don’t think anyone disagrees with that

It’s an interesting problem though… and I think that in this case no
matter what you did there would always be reasonable doubt involved -
I’d certainly hate for someone to be convicted on the basis of the
outcome of such a thing!

James

“James Harper” wrote in message
news:xxxxx@ntdev…
>>
>> Note that the recommended approach, should you absolutely require an
> all-
>> processors corral barrier, is to use KeIpiGenericCall. Attempting to
> “roll
>> your own” with DPCs is fraught with subtle and difficult-to-catch (or
> debug)
>> deadlocks (consider the scenario of multiple callers attempting to
> enter N
>> distinct “home-brewed” processor corral barriers simultaneously
> without
>> coordination).
>
> KeIpiGenericCall
> Versions: Available on Microsoft Windows Server 2003 and later operating
> systems.
>
>> That being said, what the prior poster asked for is certainly not a
>> recommended course of action.
>
> I don’t think anyone disagrees with that
>
> It’s an interesting problem though… and I think that in this case no
> matter what you did there would always be reasonable doubt involved -
> I’d certainly hate for someone to be convicted on the basis of the
> outcome of such a thing!
>
> James

Days are nearing when law will require to have something like AMT or other
“big brother eye”
built into our machines ?
–pa