Defcon Keyboard buffer in memory
Alright, apparently there was this presentation at Defcon about extracting power on passwords and hard-drive encryption passwords by accessing a certain part of memory. It seems that what gets entered into the keyboard does not get flushed and resides in memory, so the information can be accessed whenever.
I did not go to Defcon, but I did have a couple of friends who went so I don't know all the specs.
Now, me and a friend were working on this by accessing the portion of memory in which it was supposed to reside on *nix systems (0x041e, 32 bytes, i believe it was off the top of my head?). We also did compared the results of a complete memory dump when a power on password was on/off. Now, we didn't see anywhere anything about the password. We were using Grub and also tried it on 3 different/major vendors Thinkpad, Dell, and HP. Both 32 and 64 byte. We're going to try and see if maybe LILO is effected or not.
Also, we are going to try and exploit a Windows OS and see if we can't get it working.
I have a couple of questions on this, though.
1.) Did anyone have any success with exploiting this issue? If so, provide info.
2.) Where did he get the location in memory from? He never explains it and the code definse the location of the memory buffer at 0x041e.
3.) Anyone want to donate some time with me to get this working?
4.) Is this a pre-boot attack only? As in it can only be read in real mode.
I saw some video or something a while back, where they could access files from memory. But there was a time limit once the ram warmed up the files were corrupt/gone…Srry if info not completely right its been awhile. I will be interesting to see what others know on this subject.
ps dying fetus fuuuuuuuuuuucking rocks!, makes me what to punch a baby :) lol
nights_shadow wrote: Alright, apparently there was this presentation at Defcon about extracting power on passwords and hard-drive encryption passwords by accessing a certain part of memory. It seems that what gets entered into the keyboard does not get flushed and resides in memory, so the information can be accessed whenever.
I did not go to Defcon, but I did have a couple of friends who went so I don't know all the specs.
Now, me and a friend were working on this by accessing the portion of memory in which it was supposed to reside on *nix systems (0x041e, 32 bytes, i believe it was off the top of my head?). We also did compared the results of a complete memory dump when a power on password was on/off. Now, we didn't see anywhere anything about the password. We were using Grub and also tried it on 3 different/major vendors Thinkpad, Dell, and HP. Both 32 and 64 byte. We're going to try and see if maybe LILO is effected or not.
Also, we are going to try and exploit a Windows OS and see if we can't get it working.
I have a couple of questions on this, though.
1.) Did anyone have any success with exploiting this issue? If so, provide info.
2.) Where did he get the location in memory from? He never explains it and the code definse the location of the memory buffer at 0x041e.
3.) Anyone want to donate some time with me to get this working?
4.) Is this a pre-boot attack only? As in it can only be read in real mode.
Haha thats funny i made a thread questioning this exact thing not too long ago.
Can you submit a link to where you heard about this please?
My C++ teacher told me about this, he said that there is a buffer that holds key strokes, and if you can find the correct address in memory you can view all keys held in that buffer. I was really interested in testing this but I had no clue how to find the address of the buffer.
I dont know how much help I will be but I am willing to try and help because I was really interested in testing this myself :happy: