Posted by & filed under Hacking & Pentesting, Hacks, Tools & Methodology.

A couple of days after demonstrating winlockpwn I came over libforensic1394, a full C library with full Python bindings for leveraging the SBP2 FireWire (IEE1394) DMA feature to perform memory dumps and live patching of physical memory.

It works like a charm, and it is much more stable than the old winlockpwn hack. This is due to the fact that instead of posing as an iPod (or any other SBP2 device for that matter), it presents the SBP2 stack with the original FireWire bus info from the attacker machine. Targets that use Windows 7 and other operating systems seem to be more happy with this, and the results is fewer BSODs and much more consistency and stability.

The library was coded and made available by Freddie Witherden, and there is also a paper available describing the library. The paper even includes signatures for Windows 7 and OS X Snow Leopard, and code samples for performing live patching of RAM. This is great stuff, stand by for a code sample by yours truly in a couple of days.

Update: I’ve released a tool at github called Inception, which uses libforensic1394 to unlock Windows 7 boxes. The tool is much more stable than winlockpwn. Drop me a line if you want to contribute.

9 Responses to “Alternative to winlockpwn: libforensic1394”

  1. Bobby

    I’ve been doing a lot of research on ram analysis and would love to know how to use this program. I downloaded it but cannot figure how to make it work.
    I’m really looking forward to your write up on it

    Reply
  2. Bobby

    Hi Carsten,
    Thanks for the reply! I’m actually looking to use this to create RAM dumps and I was using pythonraw1394 before. I used your guide to set it up and then used 1394memimage instead of winlockpwn haha. I’m just having trouble reading the upper memory area with 1394memimage and I’m hoping that libforensic1394 will fix the error. And if I’m really lucky it’ll work on some linux distributions.
    Thank you!

    Reply
    • Carsten

      Glad to hear that it worked! By “upper memory area”, do you mean memory > 4GB? Unfortunately, SBP2 devices with DMA cannot access memory above 4GB, this is a limitation in the IEEE standard.

      Reply
  3. Bobby

    Sorry it took so long to answer I’ve been out of town. I havent been able read anything past 2.2gb. The only reason I could find for this is the uma being unreadable. I have read about the 4gb limit and I was confused to why I couldnt get more than 2.2gb of ram

    Reply

Leave a Reply

  • (will not be published)