Windows Crash Dump Exploration
From BruCON 2016
The Microsoft Windows crash dump mechanism is perhaps one of the most crucial undocumented components to have survived the scrupulous eyes of reverse engineers and Windows internals experts for so long. Tucked away discreetly in the bowels of the operating system, the undocumented crash dump stack provides the operating system a powerful, fast and independent I/O path to the boot device used for various internal purposes (crash dump file generation, hibernation, and fast boot in Windows 8). Microsoft has provided some sparse and vague documentation for selective aspects of the crash dump stack, but only enough to expose the absolute minimum knowledge necessary for kernel driver developers to integrate their software. Past research has revealed that the crash dump driver stack can be manipulated using various bypass techniques to read and write to a mass storage device outside normal operating system use, providing both defensive and offensive use cases. Further research in 2013 explored numerous changes to the crash dump stack that were introduced in Windows 8, including new crash dump logging features that could be abused. This presentation expands on that research and highlights new capabilities in the Windows 8.1 crash dump infrastructure. A new tool called LiveDump will be introduced, along with a Windbg extension that can be used to explore crash dump internals.