[QUESTION] Total-Meltdown install

[Bix3]

Hello,

I am very interested in using the Total-Meltdown vulnerability as memory-acquisition method.

Some questions i have are:

• The meltdown vulnerability was only for Intel as far as i know. Is the totalmeltdown also for AMD processors?

• Is it possible to use it in virtual machines or does it need to be a physical PC?

• How could one obtain that specific windows 7 version?

[ufrisk]

It affected Windows 7 / Windows 2008R2 x64 versions.

CPU Amd/Intel should not matter I believe. Works fine in VMs too. Any win7 patched with January 2018, February 2018 patches will do.

Usually it's easiest to install an old win7, disable automatic updates, but still update it on winupdate (but deselecting patches after above months). You'll usually end up with December 2017 patches (=not affected). You may then have to manually download and install January- or February 2018 patch from http://www.catalog.update.microsoft.com/Home.aspx

[Bix3]

Hello,

I got it working in VMware, but while trying on a physical machine it gives the Error "TOTALMELTDOWN: Failed. Failed parsing memory map from registry"

It there anything i could do to solve that?

[Bix3]

I tried reinstalling the Windows 7, but it didnt Help. Towards the topic of parsing a memory map from the registry i sadly cant find much in the internet.

I appreciate any help or suggestions on what i could try to solve this

[ufrisk]

It should work, provided that you have the patches at the correct level (January/February 2018) and that if you use 64-bit Win7.

About the registry, are you able to take a memory dump with the DumpIt tool (or winpmem) and send it my way and I'll be able to take a look at it. Mbe you could upload it somewhere and send me the link to pcileech@frizk.net

I'm currently away at BlachHat/DEFCON tho so I won't be able to check it out until before next week though.

[biorpg]

I was able to install Windows Server 2008R2 with the last update rollups from February 2018, and totalmeltdown is working for me on bare metal. I was also able to get the remotely mounted memory map to work using pcileech, memprocfs, and dumpit. Which command is giving you the error?

[Bix3]

Hi, thank you very much vor this information, the command which gives the error is "pcileech.exe dump -device totalmeltdown". I tried it with Windows 7, and only have the Problem when running it on bare metal. As soon as im back home i will Install and try with Server 2008 Version of Windows.

[ufrisk]

Apologies for my delay in this matter. The error is in my attempts to parse the memory map from the registry to avoid reading potentially sensitive memory (to avoid freezes on some computer models). I'll probably issue a "fix" in a few weeks where it will be possible to disable this parsing of the registry via command line. This should hopefully fix the problem.

[biorpg]

Hi, thank you very much vor this information, the command which gives the error is "pcileech.exe dump -device totalmeltdown". I tried it with Windows 7, and only have the Problem when running it on bare metal. As soon as im back home i will Install and try with Server 2008 Version of Windows.

If it helps, I started with en_windows_server_2008_r2_with_sp1_vl_build_x64_dvd_617403 as a base, and then installed the following update packages: windows6.1-kb4074587-x64 windows6.1-kb4074598-x64 windows6.1-kb4075211-x64

[Bix3]

Hello, Thank you for the help. I just tried it with the Windows Server 2008 Installation, but it surprisingly does the exact same error as with Windows 7. So i think it has something to do with Hardware or Bios settings (tried Virtualization on and off, is working with pciscreamer).

[Bix3]

Ok, after playing around with the LeechCore's sourcecode and making MemMap_VerifyTranslateMEM always return true i got pcileech to work with parameter: pcileech.exe display -device totalmeltdown. but it doesnt correctly work when trying: pcileech.exe dump. Because then it says that its finished dumping instantly and returns a dump file of size 0. Also i got the LeechCore_open C-Api function to work that way but not VMMDLL_Open

[ufrisk]

I'm pretty sure the error is due to a parsing error of the Windows registry in the function

BOOL DeviceTMD_MemoryMapRetrieve(PDEVICE_CONTEXT_TMD ctxTMd)

The function fails to parse the the memory map to get the maximum physical memory address available and to find out where there are "holes" in the memory since on some (but not all) computers reading/writing in these "holes" will bluescreen the computer.

If you wish you can replace the contents of the function with something like this:

_Success_(return)
BOOL DeviceTMD_MemoryMapRetrieve(PDEVICE_CONTEXT_TMD ctxTMd)
{
    ctxTMd->paMax = 17*1024*1024*1024;
    MemMap_AddRange(0, ctxTMd->paMax, 0);
    return TRUE;
}

which will add the complete memory as a dummy entry to the memory map. Note that max physical memory address is larger than your amount of installed memory (due to the memory "holes") - so example may work for a 16GB computer.

[Bix3]

Thank you for the help. i changed that in the named function, now it dumps memory, but only up to the address of 0x40000000.

https://user-images.githubusercontent.com/51031402/65830858-c003ab00-e2b3-11e9-88e7-464e4a61f025.png

[ufrisk]

try: ctxTMd->paMax = 0x0000000440000000; instead

[Bix3]

Thank you for your help. Memory dumping as well as reading with the VMM_DLL works. but not writing to it. pcileech.exe testmemreadwrite -device TOTALMELTDOWN results in this

[ufrisk]

can you try some other address than address 0x0 with the -min parameter? like address 0x10000 or something like that.

[Bix3]

Hello,

it seems to fail writing with every address

[ufrisk]

I'm not able to reproduce your write errors except for the write test to address 0 (as in your screenshot above). The tests below are run against a Total Meltdown vulnerable Win7 (February 2018 patches) with the latest PCILeech version. Only 2 CPUs allocated to this VM though.

testmemreadwrite works against address other than 0x1000

c:\Temp\PCILeech>pcileech -device totalmeltdown -min 0x10000 testmemreadwrite

Memory Test Read: starting, reading 1000 times from address: 0x00010000
Memory Test Read: SUCCESS!
Memory Test Write: starting, reading/writing 100 times from address: 0x00010000
Memory Test Write: Success!

c:\Temp\PCILeech>

Write to memory also seems to be working. I also tried and successfully altered the text in notepad.exe on my live system by editing the heap of the notepad.exe process by using MemProcFS.

c:\Temp\PCILeech>pcileech display -device totalmeltdown -min 0x10000

Memory Display: Contents for address: 0x0000000000010000
0000    00 d8 01 d8 02 d8 03 d8  04 d8 05 d8 06 d8 07 d8   ................
0010    08 d8 09 d8 0a d8 0b d8  0c d8 0d d8 0e d8 0f d8   ................
0020    10 d8 11 d8 12 d8 13 d8  14 d8 15 d8 16 d8 17 d8   ................
0030    18 d8 19 d8 1a d8 1b d8  1c d8 1d d8 1e d8 1f d8   ................
0040    20 d8 21 d8 22 d8 23 d8  24 d8 25 d8 26 d8 27 d8    .!.".#.$.%.&.'.
0050    28 d8 29 d8 2a d8 2b d8  2c d8 2d d8 2e d8 2f d8   (.).*.+.,.-.../.
0060    30 d8 31 d8 32 d8 33 d8  34 d8 35 d8 36 d8 37 d8   0.1.2.3.4.5.6.7.
0070    38 d8 39 d8 3a d8 3b d8  3c d8 3d d8 3e d8 3f d8   8.9.:.;.<.=.>.?.
0080    40 d8 41 d8 42 d8 43 d8  44 d8 45 d8 46 d8 47 d8   @.A.B.C.D.E.F.G.
0090    48 d8 49 d8 4a d8 4b d8  4c d8 4d d8 4e d8 4f d8   H.I.J.K.L.M.N.O.
00a0    50 d8 51 d8 52 d8 53 d8  54 d8 55 d8 56 d8 57 d8   P.Q.R.S.T.U.V.W.
00b0    58 d8 59 d8 5a d8 5b d8  5c d8 5d d8 5e d8 5f d8   X.Y.Z.[.\.].^._.
00c0    60 d8 61 d8 62 d8 63 d8  64 d8 65 d8 66 d8 67 d8   `.a.b.c.d.e.f.g.
00d0    68 d8 69 d8 6a d8 6b d8  6c d8 6d d8 6e d8 6f d8   h.i.j.k.l.m.n.o.
00e0    70 d8 71 d8 72 d8 73 d8  74 d8 75 d8 76 d8 77 d8   p.q.r.s.t.u.v.w.
00f0    78 d8 79 d8 7a d8 7b d8  7c d8 7d d8 7e d8 7f d8   x.y.z.`.{.|.}.~.

c:\Temp\PCILeech>pcileech write -min 0x10000 -in 11223344 -device totalmeltdown

Memory Write: Successful.

c:\Temp\PCILeech>pcileech display -device totalmeltdown -min 0x10000

Memory Display: Contents for address: 0x0000000000010000
0000    11 22 33 44 02 d8 03 d8  04 d8 05 d8 06 d8 07 d8   ."3D............
0010    08 d8 09 d8 0a d8 0b d8  0c d8 0d d8 0e d8 0f d8   ................
0020    10 d8 11 d8 12 d8 13 d8  14 d8 15 d8 16 d8 17 d8   ................
0030    18 d8 19 d8 1a d8 1b d8  1c d8 1d d8 1e d8 1f d8   ................
0040    20 d8 21 d8 22 d8 23 d8  24 d8 25 d8 26 d8 27 d8    .!.".#.$.%.&.'.
0050    28 d8 29 d8 2a d8 2b d8  2c d8 2d d8 2e d8 2f d8   (.).*.+.,.-.../.
0060    30 d8 31 d8 32 d8 33 d8  34 d8 35 d8 36 d8 37 d8   0.1.2.3.4.5.6.7.
0070    38 d8 39 d8 3a d8 3b d8  3c d8 3d d8 3e d8 3f d8   8.9.:.;.<.=.>.?.
0080    40 d8 41 d8 42 d8 43 d8  44 d8 45 d8 46 d8 47 d8   @.A.B.C.D.E.F.G.
0090    48 d8 49 d8 4a d8 4b d8  4c d8 4d d8 4e d8 4f d8   H.I.J.K.L.M.N.O.
00a0    50 d8 51 d8 52 d8 53 d8  54 d8 55 d8 56 d8 57 d8   P.Q.R.S.T.U.V.W.
00b0    58 d8 59 d8 5a d8 5b d8  5c d8 5d d8 5e d8 5f d8   X.Y.Z.[.\.].^._.
00c0    60 d8 61 d8 62 d8 63 d8  64 d8 65 d8 66 d8 67 d8   `.a.b.c.d.e.f.g.
00d0    68 d8 69 d8 6a d8 6b d8  6c d8 6d d8 6e d8 6f d8   h.i.j.k.l.m.n.o.
00e0    70 d8 71 d8 72 d8 73 d8  74 d8 75 d8 76 d8 77 d8   p.q.r.s.t.u.v.w.
00f0    78 d8 79 d8 7a d8 7b d8  7c d8 7d d8 7e d8 7f d8   x.y.z.`.{.|.}.~.

c:\Temp\PCILeech>

Are you able to confim that this is not working for you?

[Bix3]

Hello,

yes i tested again on addresses: 0x10000, 0x100000, 0x40000. pcileech.exe display is working, while testmemreadwrite is not

I think, that it has to do with the Amd processor. In my VM(VMWare) on the Amd system it works. Then i setup the exact same windows version on the physical machine, and that memmap error came. After modifying leechcore it only has read-access. After that a friend tried it on his Intel machine and it works for him perfectly without any modification and it can read and write. Do you think its possible that AMD machines have other registry-memorymaps?

[ufrisk]

What is the exact CPU model you have on this computer?

The CPU model may explain the memory map parsing issues, but I still have a hard time understanding the write issue.

[Bix3]

It is a AMD Ryzen 5 1600 cpu

[ufrisk]

Thanks, This most probably explains the failed memory map parsing in Windows.

The earlier ryzen/threadripper/epyc do have a NUMA-like architecture with in this case two CCX'es with 3 cores/6 threads each and separate L3s for and memory channels for each CCX. I suspect I failed to account for this in the memory map parsing from the registry. I'll try to look into the memory dump I have.

It does not explain the write issue though, but it may or may not be related, mbe it's some caching issue in which the write is not flushed to main memory or something like that. I don't know.

I plan to get myself an AMD system so I can test some of this stuff better, but the new Zen2 based Ryzens/Epycs CPUs don't have this NUMA-like environment anymore...

[ufrisk]

Apologies for the super slow responsiveness with regards to this one. The issue should now be fixed in the source-version of the LeechCore project.

You may build the LeechCore project / leechcore.dll file yourself to resolve this issue. I'll include the fix in the next binary version; but that is probably some time away.

Since this issue is now resolved (even if in source version only) I'm closing this issue.