jessekornblum: Push data to the pagefile

jessekornblum (

jessekornblum) wrote,
@ 2006-10-11 11:15:00

Entry tags:

forensics, geek, hacking

Push data to the pagefile
One of the next steps in Windows memory analysis will be to parse the paging file (aka virtual memory). The operating system stores data here when it doesn't fit into main memory. A number of researchers have sought a way to reliably push data to the pagefile so that they can practice finding it.

I've written a simple program that attempts to allocate an infinite amount of memory and thus pushes other things out to the pagefile. The program's copyright notice is longer than the code and is available as a Windows executable or source code. Quitting the program by hitting Control-C will free up everything again. Have fun!

(9 comments) - (Post a new comment)

	purging (Anonymous) 2006-10-11 04:20 pm UTC (link)
	Will this allow you to securely wipe the contents of the pagefile with out rebooting? (Reply to this) (Thread)

Re: purging
jessekornblum
2006-10-11 04:36 pm UTC (link)

Nope. AFAIK it's not possible to wipe the pagefile without rebooting. You can have Windows wipe it for you, though. Look in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management and if necessary, create a key ClearPageFileAtShutdown as a DWORD and set it to one. Windows should wipe the pagefile with zeros every time you shut down.

(Reply to this) (Parent)

	seekingjoy 2006-10-12 09:02 pm UTC (link)
	I am so computer illiterate at times that I am not sure your LJ is in English. :) I miss you and your lady!! (Reply to this) (Thread)

	jessekornblum 2006-10-12 10:33 pm UTC (link)
	Sorry! I suppose that's the consequence of my geeking out online. I'm sure if you geeked out about your work I'd have just as much trouble following what you're talking about! (Reply to this) (Parent)(Thread)

	seekingjoy 2006-10-13 02:40 pm UTC (link)
	Hee-hee. Maybe. Nothing wrong with being a geek! Hope life is treating you well. :) (Reply to this) (Parent)

illix
2006-10-12 10:12 pm UTC (link)

Hey, have you ever heard of a problem with dd and Reiserfs? I tried to clone a Gentoo install multiple times and in about half of the installs (this percentage doesn't necessarily mean anything since the flaw looks inherited) the filesystem seems fine but won't let you emerge anything, and eventually will spill a screenful of terrible filesystem panics and die.

Also did you get my email re: dc3 document?

(Reply to this) (Thread)

	jessekornblum 2006-10-12 10:44 pm UTC (link)
	The only problem I know with Reiserfs is that occasionally it may try to murder any filesystems that resemble its spouse [rimshot]. Sorry, I couldn't resist. Seriously, I haven't heard of anything. Maybe the journaling system is somehow hardware dependent? (Reply to this) (Parent)(Thread)

illix
2006-10-12 11:19 pm UTC (link)

Another guy in the group mentioned that Reiser might have fits because of its journaling system, but he didn't see fit to mention exactly what or why...well, hopefully he'll be in tomorrow.

My favorite joke thus far has been "What's the difference between O.J. Simpson and Hans Reiser? Hans kept a journal." Of course you have to follow this up with "if the transaction doesn't commit, you must acquit!"

(Reply to this) (Parent)(Thread)

	jessekornblum 2006-10-12 11:21 pm UTC (link)
	BOO! BOOOOO! (Reply to this) (Parent)

(9 comments) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

LJ Labs

Store