search

ufrisk / LeechCore

LeechCore - Physical Memory Acquisition Library & The LeechAgent Remote Memory Acquisition Agent
GNU General Public License v3.0
488 stars 92 forks source link

OS BSOD when detecting total memory size, why this happened? #2

Closed cofarmer closed 4 years ago

cofarmer commented 5 years ago

when i use the thunderbolt to access windows 10 laptop, the laptop died when detect memory size.

ufrisk commented 5 years ago

I'm not completely sure, but I suspect it may have to do with the auto-detect feature trying to read small amounts of memory. If really unlucky it may hit some memory your target system blue screens on.

To find out if this is the case, and which memory location it may be, you can enable the extra verbose option in PCILeech/MemProcFS -vvv (which will show all the TLP packets - an insane amount of data later on - so don't run MemProcFS with this feature). There you may be able to see where it bluescreens.

Also, if you specify the -max option in PCILeech/MemProcFS you shouldn't trigger the auto-detect. Maybe this helps?

Or it may be due to something else altogether; but it's really hard for me to tell from this data. Can you please confirm if it's working/not working if you use the -max option instead?

cofarmer commented 5 years ago

Only access special memory address, like 0x200000fff,bsod happened.

ufrisk commented 5 years ago

Is that the top of the memory and any top of the memory address will BSOD or is this specific addresses within the memory space that is very sensitive?

I know some computers freeze/bluescreen if certain memory addresses are read, it's very hard for me to do anything about it without knowing exactly where these addresses are located (they are device dependent).

cofarmer commented 5 years ago

By my test, when use mPCIe or NGFF port, it's ok. But through the thunderbolt, it's failed, and also failed at the beginning of power on(at the laptop logo) with thunderbolt interface. Maybe, it depend on mothorboard? I also try to change the vendor ID and device ID, the result is the same. Sometime the windows BSOD stopcode is: DPC_WATCHDOG_VIOLATION

ufrisk commented 4 years ago

I'm closing this issue due to old age.

Windows have added a lot of protections to protect against DMA attacks for Thunderbolt devices recently. Even though the protections seems to be working there also seems to be somewhat buggy - i.e. they sometime bluescreen the computer instead of just blocking the evil device - or maybe that's intentional from their side...