Clik here to view.
DMA attacking over USB-C and Thunderbolt 3
I just got an Intel NUC Skull Canyon that has an USB-C port capable of Thunderbolt 3. Thunderbolt is interesting since it's able to carry PCI Express which is Direct Memory Access (DMA) capable. I have...
View ArticleClik here to view.
Disable Virtualization Based Security (VBS) on auto-booting systems
I this post I will show how it's possible to disable Windows 10 Virtualization Based Security (VBS), Credential and Device Guard, by corrupting in-memory structures prior to operating system boot.For...
View ArticleClik here to view.
Windows 10 KASLR Recovery with TSX
It is possible to break Kernel Address Space Layout Randomization (KASLR) on modern operating systems running on modern x86 CPU's.One possible way of doing this is to time certain operations when using...
View ArticleClik here to view.
macOS FileVault2 Password Retrieval
macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the...
View ArticleClik here to view.
Attacking UEFI Runtime Services and Linux
Attackers with physical access are able to attack the firmware on many fully patched computers with DMA - Direct Memory Access. Once code execution is gained in UEFI/EFI Runtime Services it is possible...
View ArticleClik here to view.
Attacking UEFI
Unlike macs many PCs are likely to be vulnerable to pre-boot Direct Memory Access (DMA) attacks against UEFI. If an attack is successful on a system configured with secure boot - then the chain of...
View ArticleClik here to view.
Introducing the Memory Process File System for PCILeech
The Memory Process File System for PCILeech is an easy and convenient way to quickly look into memory dumps. The processes in a memory dump and their virtual memory should be mapped as files and...
View ArticleClik here to view.
Total Meltdown?
Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per second was not a good thing.Meet the Windows 7 Meltdown patch from...
View ArticleClik here to view.
Remote LIVE Memory Analysis with The Memory Process File System v2.0
This blog entry aims to give an introduction to The Memory Process File System and show how easy it is to do high-performant memory analysis even from live remote systems over the network.This and much...
View ArticleClik here to view.
Introducing the LeechAgent
The LeechAgent is a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments.The LeechAgent provides...
View ArticleClik here to view.
Modifying the Acorn CLE-215+ FPGA into a PCILeech DMA attack device
PCILeech and MemProcFS allows for easy-to-use user-friendly DMA attacks and hardware assisted memory analysis. This is possible since PCI Express supports DMA. Unfortunately production of compatible...
View Article