I have an attacker who claims he was able to read the contents of a live NT pagefile which helped him attack further. So far, we have shown that a few of his other claims are without merit, but this one has stumped me. Without using a sector editor, I'm not terribly sure reading the live pagefile is possible under normal circumstances. NT/2k explicitly denies access to the file itself at a native API and Win32 level (try "type \pagefile.sys" or "copy \pagefile.sys blah.bin" from a command for yourself :-). This is the only pagefile on the system. Does anyone know of any small command line or UI-less tools that can get or search the contents of the NT pagefile? thanks, Andrew van der Stock, MCSE, Chief Technologist, Mobile: 0412 532 963 ********************************************************* b-sec http://www.b-sec.com.au Melbourne: 03 9682 5700 Brisbane: 07 3374 3011 Sydney: 02 9908 5100 National Fax + 61 7 3374 3022 Email Disclaimer: http://www.b-sec.com.au/disclaimer.txt ********************************************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 31 2002 - 04:04:39 PDT