Matasano Chargen - Latest Comments in Windows Remote Memory Access Though FireWirehttp://matasanochargen.disqus.com/enFri, 14 Mar 2008 04:26:58 -0000Re: Windows Remote Memory Access Though FireWirehttp://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/#comment-2321561<p>The first use that springs to mind is a virus / malware checker that inspects RAM via the Firewire interface.</p>Simon CrossFri, 14 Mar 2008 04:26:58 -0000Re: Windows Remote Memory Access Though FireWirehttp://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/#comment-2321560<p>As Adam points out, the possibilities of recovering crypto passwords from the realmode memory is cool. It works rather well :-)</p><p>I'm sure I read an article by Simson Garfinkel where he has hinted that acquiring memory using DMA may also be possible using USB.<br><a href="http://www.csoonline.com/read/050106/ipods.html" rel="nofollow noopener" target="_blank" title="http://www.csoonline.com/read/050106/ipods.html">http://www.csoonline.com/re...</a></p>Jon EvansSat, 24 Feb 2007 11:49:56 -0000Re: Windows Remote Memory Access Though FireWirehttp://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/#comment-2321559<p>Heh, glad someone actually read the pdf :)</p><p>I think one of the small-but-cool things that came out of my work on firewire memory access was the ability to recover plain text real-mode-disk-crypto passwords (like PGP Wholedisk or similar) from the real mode bios keyboard buffer. Of course, this is just one of the many treasures that lies around in memory, but it's not the first thing you think of. You boot your laptop, enter your disk crypto (or bios disk locker, or whatever) password out in realmode, and it stays there, forever, because it's never used again now you're in protected mode.</p><p>I thought it was neat, anyway.</p>Adam BoileauTue, 13 Feb 2007 03:34:34 -0000Re: Windows Remote Memory Access Though FireWirehttp://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/#comment-2321558<p>Careful: there's already a 1394 debugging interface in Vista, but it's very detectable. This is, as Dornseif and Boileau both point out, something more insidious than a debugging interface.</p><p>On the other hand, if you can write into an instruction stream, you can set breakpoints, so consing up a debug stub from it CAN'T be THAT HARD. ;)</p>Thomas PtacekMon, 12 Feb 2007 16:49:14 -0000Re: Windows Remote Memory Access Though FireWirehttp://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/#comment-2321557<p>Nice, so a high-speed serial debugging interface, eh?</p>Ryan RussellMon, 12 Feb 2007 16:27:47 -0000Re: Windows Remote Memory Access Though FireWirehttp://www.matasano.com/log/695/windows-remote-memory-access-though-firewire/#comment-2321556<p>I think the most useful purpose is that all DMA happens without the CPU being aware or even able to detect it if it wanted to. This means all anti-debugging measures just go away and with some simple tools to find PTEs and regen the virtual map, you have remote debugging with no OS assistance.</p>NateMon, 12 Feb 2007 13:59:17 -0000