A couple of days after demonstrating winlockpwn I came over libforensic1394, a full C library with full Python bindings for leveraging the SBP2 FireWire (IEE1394) DMA feature to perform memory dumps and live patching of physical memory.
It works like a charm, and it is much more stable than the old winlockpwn hack. This is due to the fact that instead of posing as an iPod (or any other SBP2 device for that matter), it presents the SBP2 stack with the original FireWire bus info from the attacker machine. Targets that use Windows 7 and other operating systems seem to be more happy with this, and the results is fewer BSODs and much more consistency and stability.
The library was coded and made available by Freddie Witherden, and there is also a paper available describing the library. The paper even includes signatures for Windows 7 and OS X Snow Leopard, and code samples for performing live patching of RAM. This is great stuff, stand by for a code sample by yours truly in a couple of days.
Update: I’ve released a tool at github called Inception, which uses libforensic1394 to unlock Windows 7 boxes. The tool is much more stable than winlockpwn. Drop me a line if you want to contribute.
STRSHR
Great news, looking forward for the replacement of winlockpwn. :D
Bobby
I’ve been doing a lot of research on ram analysis and would love to know how to use this program. I downloaded it but cannot figure how to make it work.
I’m really looking forward to your write up on it
Carsten
Hi Bobby, if you’re just interested in how winlockpwn works, see my writeup at http://www.breaknenter.org/2011/05/winlockpwn-on-ubuntu/
I’ll be posting my own tool using the libforensic1394 library here in a couple of days though, so stay tuned. Hopefully it will work better than the winlockpwn tool. Good luck!
Bobby
Hi Carsten,
Thanks for the reply! I’m actually looking to use this to create RAM dumps and I was using pythonraw1394 before. I used your guide to set it up and then used 1394memimage instead of winlockpwn haha. I’m just having trouble reading the upper memory area with 1394memimage and I’m hoping that libforensic1394 will fix the error. And if I’m really lucky it’ll work on some linux distributions.
Thank you!
Carsten
Glad to hear that it worked! By “upper memory area”, do you mean memory > 4GB? Unfortunately, SBP2 devices with DMA cannot access memory above 4GB, this is a limitation in the IEEE standard.
Bobby
Sorry it took so long to answer I’ve been out of town. I havent been able read anything past 2.2gb. The only reason I could find for this is the uma being unreadable. I have read about the 4gb limit and I was confused to why I couldnt get more than 2.2gb of ram
will
Any update on your code sample?
Carsten
Check out https://github.com/carmaa/FTWAutopwn
It works for Windows 7 as of today, but I’m planning to expand it the next weeks.
The code is quite stupid as of now, as it doesn’t stop at memory boundaries if the signature isn’t found.
Carsten
Also, check out http://www.breaknenter.org/2011/08/fire-through-the-wire/ for an explanation on how to install and use the tool.