In preparation for refreshing some content in my slide deck for my presentation at Brucon 0x06, I happened upon some functions in the Windows 8.1 kernel I had never seen before. They were all named with some variation of “LiveDump”. Here are a few examples:
8129c9fd nt!IopLiveDumpInitiateCorralStateChange ()
8148dbe5 nt!IopLiveDumpWriteBuffer ()
8148d7f3 nt!IopLiveDumpAllocateMappingResources ()
I was a little surprised, because I had peeked at 8.1 when it first came out and didn’t notice these. What the heck is a live dump? It appears to be a way to save a dump of physical memory (in dump file format) to a flat file using the normal I/O path (it appears the Microsoft developers have an un-implemented option to use the crash dump path – cool!). Best of all, the functionality is exposed via our old friend NtSystemDebugControl (harkening back to the days of control code 10 that allowed a similar capability). There are a few restrictions in place, but the good news is the generated dump file doesn’t have to live in the page file (though this would certainly not be the case if the crash path were used).
Stay tuned for more details on this discovery, as well as a tool to leverage the feature. At Brucon, I will also be releasing a Windbg extension for all things crash dump related. An upcoming blog post will reveal more details about my upcoming presentation.