OS info in mem?

There are many different operating systems; which one will you choose?

OS info in mem?

Post by canbees on Wed Mar 07, 2012 2:15 pm
([msg=64841]see OS info in mem?[/msg])

Hello,
Lets say your about to log into your computer and you forgot your password, is the password saved in the memory at that time in the .data or in the D/I-cache?
IF YES
is there different adresses for different systems?
and what adresses do you find the password, username and is it encrypted?

-- Wed Mar 07, 2012 2:54 pm --

ps. or should i just write code to check all addresses in the memories?
just thought i would save time:P
canbees
New User
New User
 
Posts: 11
Joined: Wed Mar 07, 2012 2:02 pm
Blog: View Blog (0)


Re: OS info in mem?

Post by tremor77 on Wed Mar 07, 2012 4:00 pm
([msg=64842]see Re: OS info in mem?[/msg])

Depends on the OS where password information is stored. Windows 7 along with others store this information in the SAM Database. Google SAM Database and learn.
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 899
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: OS info in mem?

Post by canbees on Wed Mar 07, 2012 4:39 pm
([msg=64845]see Re: OS info in mem?[/msg])

ah read it still a little blurry but will take closer look at it after damn exams
had an other idea on how you could get it but will look into it more later

ty for response
canbees
New User
New User
 
Posts: 11
Joined: Wed Mar 07, 2012 2:02 pm
Blog: View Blog (0)


Re: OS info in mem?

Post by centip3de on Wed Mar 07, 2012 5:46 pm
([msg=64856]see Re: OS info in mem?[/msg])

canbees wrote:Hello,
Lets say your about to log into your computer and you forgot your password, is the password saved in the memory at that time in the .data or in the D/I-cache?


Wait... Wut? Why in the world would the password be saved in the .data section of the code? An OS doesn't simply have code like;

Code: Select all
.data
password db 0 "Jimmy"


It would be ridiculously insecure and obvious. Instead, they're stored in a file, or database somewhere on the machine, and encrypted (depending on the system, it could be several times over).

canbees wrote:IF YES
is there different adresses for different systems?


Do you mean, is each OS have the exact, same, address scheme? Well of course not. Some OS's start in different places in memory than others. Some only use physical addresses, while others use virtual addresses (or a mixture of the two). Besides, your password program would be run in ring 3 of the OS, and (assuming you're running Windows), would get a different VA (virtual address) each time it's executed.

canbees wrote:what adresses do you find the password, username and is it encrypted?


You don't. You might find the place where they're stored, but the fact is, that they're stored. If you have no password to get onto the machine, then you can't get files where they're stored in. And, as I said before, each time it's executed, it gets a different VA.

canbees wrote:or should i just write code to check all addresses in the memories?
just thought i would save time:P


You would have an easier time brute force the password out of a machine that has a 90 character password. Also, how would you differentiate between a normal character string, and you're password string?
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1443
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: OS info in mem?

Post by canbees on Thu Mar 08, 2012 5:13 am
([msg=64876]see Re: OS info in mem?[/msg])

Well i thought,shouldent the CPU at some point in the code have to crossreferese the both at a binary level? And then you could interruppt that code and find the pass?
canbees
New User
New User
 
Posts: 11
Joined: Wed Mar 07, 2012 2:02 pm
Blog: View Blog (0)


Re: OS info in mem?

Post by tremor77 on Thu Mar 08, 2012 8:30 am
([msg=64878]see Re: OS info in mem?[/msg])

Are you talking about the OS password or the BIOS Password?
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 899
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: OS info in mem?

Post by canbees on Thu Mar 08, 2012 9:59 am
([msg=64883]see Re: OS info in mem?[/msg])

centip3de wrote: would get a different VA (virtual address) each time it's executed.

well after your interrupt the D/I-cache alrdy loaded alot of instructions to be used and if you change the block size to 8 words your cache will get high hitrate and the pass is probably stored in there.
Im assuming you can only read the activity on the BUS or something.

centip3de wrote:You would have an easier time brute force the password out of a machine that has a 90 character password. Also, how would you differentiate between a normal character string, and you're password string?


yah if you check all the memory its maybe impossible but if you use the cache its alot smaller and can take in a big chunk of instruktions at the same time with a good hitrate and if you find the password in there you can use the index and tag to find the adress in the memory?
but yah just ideas
and the character string is possible stored as an .space (array) in the stack
canbees
New User
New User
 
Posts: 11
Joined: Wed Mar 07, 2012 2:02 pm
Blog: View Blog (0)


Re: OS info in mem?

Post by centip3de on Thu Mar 08, 2012 2:34 pm
([msg=64890]see Re: OS info in mem?[/msg])

canbees wrote:Well i thought,shouldent the CPU at some point in the code have to crossreferese the both at a binary level? And then you could interruppt that code and find the pass?


Binary level? I'm pretty sure that doesn't exist. Do you mean at ring 0? Also, no. The OS would first take the password entered, and then encrypt it (or at least my password manager does), into an MD5 hash. It then takes it and compares it to the already hashed MD5. Which is stored in a file on the computer. So, yes, you could find it in a comparison value, but no, you couldn't read it.

canbees wrote:well after your interrupt the D/I-cache alrdy loaded alot of instructions to be used and if you change the block size to 8 words your cache will get high hitrate and the pass is probably stored in there.
Im assuming you can only read the activity on the BUS or something.


Uhhhhhhhh, no. The pass is stored in a file, which the OS will have to fetch during the comparison process. This password is already encrypted (in all likelihood) and will then be compared to the current password, once it too is encrypted. Also, the amount of instructions doesn't matter, what you want is a string literal.

canbees wrote:yah if you check all the memory its maybe impossible but if you use the cache its alot smaller and can take in a big chunk of instruktions at the same time with a good hitrate and if you find the password in there you can use the index and tag to find the adress in the memory?
but yah just ideas
and the character string is possible stored as an .space (array) in the stack


Once again, not about instructions, it's about string literals. Also, if you find the address in memory, it's going to change the next time you run the program, so what's the point? I think you should read up how Linux or Windows works, to understand how to manipulate them into doing what you want.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1443
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)


Re: OS info in mem?

Post by canbees on Thu Mar 08, 2012 3:36 pm
([msg=64892]see Re: OS info in mem?[/msg])

ok, will do more reading

-- Fri Mar 09, 2012 10:40 am --

http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf
found something, what do you think?
canbees
New User
New User
 
Posts: 11
Joined: Wed Mar 07, 2012 2:02 pm
Blog: View Blog (0)



Return to Operating Systems

Who is online

Users browsing this forum: No registered users and 0 guests