DISQUS

Nate · 2 years ago

I think the most useful purpose is that all DMA happens without the CPU being aware or even able to detect it if it wanted to. This means all anti-debugging measures just go away and with some simple tools to find PTEs and regen the virtual map, you have remote debugging with no OS assistance.

Ryan Russell · 2 years ago

Nice, so a high-speed serial debugging interface, eh?

Thomas Ptacek · 2 years ago

Careful: there's already a 1394 debugging interface in Vista, but it's very detectable. This is, as Dornseif and Boileau both point out, something more insidious than a debugging interface.

On the other hand, if you can write into an instruction stream, you can set breakpoints, so consing up a debug stub from it CAN'T be THAT HARD. ;)

Adam Boileau · 2 years ago

Heh, glad someone actually read the pdf :)

I think one of the small-but-cool things that came out of my work on firewire memory access was the ability to recover plain text real-mode-disk-crypto passwords (like PGP Wholedisk or similar) from the real mode bios keyboard buffer. Of course, this is just one of the many treasures that lies around in memory, but it's not the first thing you think of. You boot your laptop, enter your disk crypto (or bios disk locker, or whatever) password out in realmode, and it stays there, forever, because it's never used again now you're in protected mode.

I thought it was neat, anyway.

Jon Evans · 2 years ago

As Adam points out, the possibilities of recovering crypto passwords from the realmode memory is cool. It works rather well :-)

I'm sure I read an article by Simson Garfinkel where he has hinted that acquiring memory using DMA may also be possible using USB.
http://www.csoonline.com/read/050106/ipods.html

Simon Cross · 1 year ago

The first use that springs to mind is a virus / malware checker that inspects RAM via the Firewire interface.