Reply to HBGary — and personal notes.

One HBGary developper wrote a blogpost about windd entitled “Windd – Almost there, but not quite…“.
HBGary says *they* but I would like to say to readers that windd is a project that I developped and maintain alone, on my spare time.

More and more people are using windd so it looks I have to explain some things about the behavior of Windows Memory Manager and windd itself. Reading HBGary blogpost really made me feel enthusiastic because I recently complained about the lack of feedback on windd which is really frustrating when you lead a free project.

As you probably know early version of windd were open-source, but mainly because of the lack of feedback windd is no more open-source but still free. As far I have seen, open-source doesn’t mean people understand what you wrote or read the code, it is more like a philosophical aspect like “We have access to the source”. Anyway, people are still free to send me an e-mail, at matt/msuiche/net if they have questions about the internal behavior of Windd, to insult me or just to thank me.

Back to HBGary blogpost, we can read :

• Is windd acquiring all of the available physical memory on the system?
• Would a “raw format” image dump of a 64-bit vista machine load properly into HBGary’s Responder?
• Should windd memory images that contain greater than 4GB of ram be considered admissible in court?
• Was windd really the first tool to support physical memory acquisition on Windows 7? (as claimed by the author)

Author replied “No” to all questions above.

In this blogpost, I am going to provide details about the bug for both technical and no technical people by explain how windd works. The main problem with HBGary article is that they mix accessible physical memory and accessible physical memory address spaces. So I assume most people do not even know the difference between these two *things*.

In July 2008, Mark Russinovich wrote a very well explained article about Windows Physical Memory Manager entitled “Pushing the Limits of Windows: Physical Memory“. In this article Mark also used a tool written by Alex Ionescu (co-author of Windows Internals 5th) called “meminfo” to retrieve information related to Windows PFN Database.

In this article Mark explains what physical memory, physical address space and PFN Database are.
For lazy readers here is a short summary.

Figure above is the physical address space.
Red blocks are devices address space, blue blocks are physical memory and the “Inaccessible RAM” (only by Windows) is a reserved space in the physical memory for the Operating System to proceed to the translation from Virtual to Physical addresses.
Joanna Rutkowska paper entitled “Defeating Hardware Based RAM Acquisition” is a good reading if you want to know more about “Red blocks”.

Figure above comes from meminfo tool which display Memory Manager physical memory blocks. These entries describe how the physical memory is “splitted” in the physical address space which interpreted by the CPU. For the remind, DMA Access provides access to physical memory and not to the physical address space.

We firstly notice the highest physical page is 0×120000 (1179648) which correspond to size of the physical address space and NOT to the size of physical memory.
Secondly we notice physical addresses are above 4GB even if the machine has only 4GB installed. To retrieve the size of installed/detected physical memory we have to add the size of each block as follows:
(0×9F000 – 0×1000) + (0xDFE6D000 – 0×100000) + (0×120000000 – 0×100002000) = 0xFFE09000 (~4GB)

#1 Bug HBGary is talking about only concerns the RAW memory dump generation with windd (v1.3.0.x <= Version < v1.3.0.20091113 (fixed version)).
The bug was the following: Windd was reading blue blocks and wrote them directly in a raw dump file like the DMA-way, then it means red-blocks were missing. Impact was the PFN database was invalid which means Virtual to Physical address translation was impossible. BUT windd DOES acquiere all available physical memory. Present version of Windd produces a “CPU-like” memory dump (physical memory address space) and fills red blocks with null pages.

#2 Second question was about HBGary’s Responder. I don’t know this product and I never used it. But it would mean HBGary does not support DMA-style memory dump.

#3 For the third question, please refer to #1 and #2.

#4 Regarding the last question about the fact that I claimed that windd was the first tool support physical memory acquisition I do not remember saying that. I just remember I claimed several times windd was a great tool because it can produce Microsoft crash dumps which has great advantages mainly because of Windbg. Then, windd also aims at being used by troubleshooters and/or kernel developpers and not only by forensics investigators.

For instance in your blogpost I can read “NOTE: HBGary’s Responder does not yet fully support the automatic analysis of Windows 7 which is why HBGary had elected to not publicly advertise Windows 7 acquisition support” — The difference between windd and average memory acquisition tools is this point: This problem does not exist with WinDbg. Windbg supports Microsoft Crash Dump since Microsoft started to work on Windows.
Analysis is very important, if someone produces a dump and is unable to analyse it this is more or less like if someone would say “I have a new car but I do not know how to drive it”.

Thanks again to HBGary for helping me to improve windd utility and I hope they like the new version.