New possibilities for memory acquisition by enabling DMA using network card

摘要

Direct memory access is one of the techniques used in forensic analysis and rootkit detection. Unfortunately, it can also be misused in various attacks. E.g., the firewire attack enabled bypassing of Windows authorization by reading the user password stored in memory. Thus, for security reasons, firewire port is usually disabled in many computers. This motivates a search for a new ways of enabling direct memory access. Another potential avenue for DMA enabled memory access seems to be the network card. We designed a new solution for direct memory access, based on a custom NDIS protocol driver that can send (on request of the local executable program) the contents of the computer memory over the network. Our new method allows an unexpected type of the direct memory access, which is independent of the processor, and its control capabilities. This is a strong advantage in rootkit detection, because the rootkit cannot take any action to hide itself while the memory is scanned.