re: Pagefile for reader/dumpers NT?

From: Buck Buchanan (lbuchanaat_private)
Date: Wed Jul 31 2002 - 13:08:04 PDT

Next message: crazytrain.com: "Re: Imaging a PCMCIA flash card?"

Previous message: Ben Boulanger: "Re: 2 questions about tct and perl lfs"
Maybe in reply to: Andrew van der Stock: "Pagefile for reader/dumpers NT?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Bypassing the file system and directly accessing the disk can easily dump
any disk block.  Disk Probe from the NT Resource Kit can do this.  The hard
part is figuring out which blocks the pagefile(s) is/are using.  I am not
aware of any easy to use "script kiddie" tools that will accomplish this,
but would like to find one.  Another way to access the pagefile(s) would be
to use a kernel level debugger.  This is not for the faint of heart.

If the attacker has access to the contents of the pagefile(s), they already
have full control over the system.  With the obvious exception of decrypted
passwords, making sense of the contents is going to be something of a
challenge.  Since the attacker has already been caught blowing smoke, I
would tend to agree with H C's assessment.

Pmdump.exe is limited to dumping a process's current image, and can easily
miss pages that had been used and then freed.  It will also miss seeing any
surviving pages from processes that have terminated.

B Cing U

Buck



                                                                                                                    
                    H C <keydet89                                                                                   
                    @yahoo.com>          To:     forensicsat_private                                        
                                         cc:     avanderstock@b-sec.com.au                                          
                    07/31/2002           Subject:     re: Pagefile for reader/dumpers NT?                           
                    08:32 AM                                                                                        
                                                                                                                    
                                                                                                                    




> I have an attacker who claims he was able to read
the
> contents of a live NT pagefile which helped him
attack
> further. So far, we have shown that a few of his
other
> claims are without merit, but this one has stumped
me.

You may have answered your own question...both
technically, and in the fact that this attacker's
other claims are "without merit".  Could be all
boasting just to throw you off...

I am not familiar with any tools that do what you
describe...the only thing that remotely comes close
that I know if Arne's pmdump.exe utility from
NTSecurity.nu...and that doesn't work specifically on
the pagefile.

Carv


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com






-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: crazytrain.com: "Re: Imaging a PCMCIA flash card?"
Previous message: Ben Boulanger: "Re: 2 questions about tct and perl lfs"
Maybe in reply to: Andrew van der Stock: "Pagefile for reader/dumpers NT?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 06:47:54 PDT