Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: NKADM rootkit - Something new?

From: "Levinson, Karl" <Karl.Levinson () dhs gov>
Date: Tue, 1 Jun 2004 11:16:23 -0400 
The question is, sufficient for what?  Doing such a memory dump writes the
entire contents of memory to the hard drive, thus altering a large portion
of the hard disk image and possibly overwriting useful information.  In some
scenarios, this could possibly cause problems, e.g. if something important
on the drive is overwritten, or if the hard drive needs to stand up as
evidence in court.

The question is probably academic.  You cannot do this memory dump on demand
unless you previously added the registry value AND rebooted, before the
compromise took place.  

And as Harlan pointed out, if you did do this dump, you would have a lot of
data to go through in the dump.  You would have to be prepared with the
knowledge, tools and time to go through that dump, or else making the dump
will probably not help anyone.  Examining a Windows memory dump is not
trivial.


-----Original Message-----
From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net] 
Sent: Monday, May 31, 2004 5:09 PM
To: incidents () securityfocus com
Subject: Re: NKADM rootkit - Something new?

Microsoft has documented a way to create a memory dump on demand [1]. Could
this be considered sufficient to preserve the system's state?
Previous By Date Next
Previous By Thread Next

Current thread: