A little journey inside Windows memory presented at HackLu 2008

by Damien Aumatre,

Summary : In 2005 and 2006, two security researchers, Maximilian Dornseif and Adam Boileau, showed an offensive use of the FireWire bus. They demonstrated how to take control of a computer equipped with a FireWire port. This work has been continued.
After a brief summary of how memory works on modern OS, we will explain how the FireWire bus works, and it can be used to access physical memory. Since modern operating system and processors use virtual addresses (and not physical ones), we rebuild the virtual space of each process in order to retrieve and understand kernel structures.
Thus, we now have an instant view of the operating system without being submitted to the security protections provided by the processor or the kernel.
We will demonstrate several uses for this. First we will show what can be done only with an interpretation of kernel structures (read access). For example, we can have the list of all processes, access to the registry with no control even for protected keys like the SAM ones. This is used to dump credentials.
Then, we see what can be done when one modifies the memory (write access). As an example, we show a 2 bytes patch to unlock a workstation without knowing the password.
Last but not least, code execution is not supposed to happen through FireWire since it is only a bus providing read/write access to the memory. However, slightly modifying the running kernel let us do whatever we want. We will explain how to have a shell with SYSTEM privileges before any authentication.