OS info in mem?

[canbees]

Hello,
Lets say your about to log into your computer and you forgot your password, is the password saved in the memory at that time in the .data or in the D/I-cache?
IF YES
is there different adresses for different systems?
and what adresses do you find the password, username and is it encrypted?

-- Wed Mar 07, 2012 2:54 pm --

ps. or should i just write code to check all addresses in the memories?
just thought i would save time:P

[tremor77]

Depends on the OS where password information is stored. Windows 7 along with others store this information in the SAM Database. Google SAM Database and learn.

[canbees]

ah read it still a little blurry but will take closer look at it after damn exams
had an other idea on how you could get it but will look into it more later

ty for response

[centip3de]

Hello,
Lets say your about to log into your computer and you forgot your password, is the password saved in the memory at that time in the .data or in the D/I-cache?

Wait... Wut? Why in the world would the password be saved in the .data section of the code? An OS doesn't simply have code like;

Code: Select all

.data
password db 0 "Jimmy"


It would be ridiculously insecure and obvious. Instead, they're stored in a file, or database somewhere on the machine, and encrypted (depending on the system, it could be several times over).

IF YES
is there different adresses for different systems?

Do you mean, is each OS have the exact, same, address scheme? Well of course not. Some OS's start in different places in memory than others. Some only use physical addresses, while others use virtual addresses (or a mixture of the two). Besides, your password program would be run in ring 3 of the OS, and (assuming you're running Windows), would get a different VA (virtual address) each time it's executed.

what adresses do you find the password, username and is it encrypted?

You don't. You might find the place where they're stored, but the fact is, that they're stored. If you have no password to get onto the machine, then you can't get files where they're stored in. And, as I said before, each time it's executed, it gets a different VA.

or should i just write code to check all addresses in the memories?
just thought i would save time:P

You would have an easier time brute force the password out of a machine that has a 90 character password. Also, how would you differentiate between a normal character string, and you're password string?

[canbees]

Well i thought,shouldent the CPU at some point in the code have to crossreferese the both at a binary level? And then you could interruppt that code and find the pass?

[tremor77]

Are you talking about the OS password or the BIOS Password?

[canbees]

would get a different VA (virtual address) each time it's executed.

well after your interrupt the D/I-cache alrdy loaded alot of instructions to be used and if you change the block size to 8 words your cache will get high hitrate and the pass is probably stored in there.
Im assuming you can only read the activity on the BUS or something.

You would have an easier time brute force the password out of a machine that has a 90 character password. Also, how would you differentiate between a normal character string, and you're password string?

yah if you check all the memory its maybe impossible but if you use the cache its alot smaller and can take in a big chunk of instruktions at the same time with a good hitrate and if you find the password in there you can use the index and tag to find the adress in the memory?
but yah just ideas
and the character string is possible stored as an .space (array) in the stack

[centip3de]

Well i thought,shouldent the CPU at some point in the code have to crossreferese the both at a binary level? And then you could interruppt that code and find the pass?

Binary level? I'm pretty sure that doesn't exist. Do you mean at ring 0? Also, no. The OS would first take the password entered, and then encrypt it (or at least my password manager does), into an MD5 hash. It then takes it and compares it to the already hashed MD5. Which is stored in a file on the computer. So, yes, you could find it in a comparison value, but no, you couldn't read it.

well after your interrupt the D/I-cache alrdy loaded alot of instructions to be used and if you change the block size to 8 words your cache will get high hitrate and the pass is probably stored in there.
Im assuming you can only read the activity on the BUS or something.

Uhhhhhhhh, no. The pass is stored in a file, which the OS will have to fetch during the comparison process. This password is already encrypted (in all likelihood) and will then be compared to the current password, once it too is encrypted. Also, the amount of instructions doesn't matter, what you want is a string literal.

yah if you check all the memory its maybe impossible but if you use the cache its alot smaller and can take in a big chunk of instruktions at the same time with a good hitrate and if you find the password in there you can use the index and tag to find the adress in the memory?
but yah just ideas
and the character string is possible stored as an .space (array) in the stack

Once again, not about instructions, it's about string literals. Also, if you find the address in memory, it's going to change the next time you run the program, so what's the point? I think you should read up how Linux or Windows works, to understand how to manipulate them into doing what you want.

[canbees]

ok, will do more reading

-- Fri Mar 09, 2012 10:40 am --

http://esec-lab.sogeti.com/dotclear/public/publications/10-hitbamsterdam-dmaattacks.pdf
found something, what do you think?