裸机内存转储器 —— 用于冷启动攻击实验的裸机 x86 工具
BareMetal RAM Dumper – Bare-metal x86 tool for Cold Boot Attack experiments

原始链接: https://github.com/pIat0n/BareMetal-RAM-Dumper

这是一个裸机 x86 工具,旨在将系统内存直接转储到可引导的 U 盘中。此过程历史上曾用于“冷启动攻击”,以恢复加密密钥等敏感数据。 该工具在传统 BIOS (CSM) 模式下运行,完全绕过了操作系统。它利用“非真实模式”(unreal mode)访问 1MB 内存屏障之上的内存,并使用 BIOS 中断(`INT 0x15` E820)来解析内存映射,确保仅捕获有效的内存。内存读取完成后,该工具会使用 `INT 0x13`(扩展写入)将原始数据保存到引导驱动器的 LBA 64 扇区开始处。 **重要警告:** * **数据丢失:** 此工具会覆盖 U 盘中从第 64 扇区开始的所有现有数据。请使用专门的空白驱动器。 * **要求:** 目标机器必须支持传统 BIOS/CSM 引导,且 U 盘容量必须足以容纳系统的总内存。 * **使用方法:** 使用 NASM 编译项目,使用 `dd` 或类似软件将生成的 `boot.bin` 写入 U 盘,然后从 U 盘引导目标电脑。该工具将显示进度百分比,直至转储完成。

Hacker News | 最新 | 过往 | 评论 | 提问 | 展示 | 招聘 | 投稿 | 登录 BareMetal RAM Dumper – 用于冷启动攻击实验的裸机 x86 工具 (github.com/piat0n) 11 点,由 liffik 发布于 53 分钟前 | 隐藏 | 过往 | 收藏 | 1 条评论 Retr0id 29 分钟前 | 下一条 [-] > 成功测试 你能详细说明一下吗?你在什么设备上进行了测试,测试流程是什么,以及结果如何? 回复 指南 | 常见问题 | 列表 | API | 安全 | 法律 | 申请 YC | 联系 搜索:
相关文章

原文

A simple x86 bare-metal tool designed to boot from a disk/USB and dump the system's RAM directly to the booting medium. It relies on BIOS interrupts to boot and perform disk operations, and enters unreal mode to access memory above the 1MB barrier.

Background: Cold Boot Attacks ❄️

This tool was originally developed and successfully tested for experimenting with Cold Boot Attacks. By freezing a laptop's RAM (down to -60°C) and quickly rebooting from a USB drive containing this tool, it is possible to dump the frozen memory contents to the disk before the data decays, allowing for the extraction of sensitive information like encryption keys.

  • Custom Bootloader: Boots directly from the BIOS (Legacy CSM). No OS required.
  • Unreal Mode: Switches temporarily to unreal mode to access and read 32-bit physical memory addresses.
  • Memory Map parsing: Uses BIOS INT 0x15 E820 to detect valid RAM regions and avoid dumping reserved memory or memory-mapped I/O.
  • Direct Disk Write: Uses BIOS INT 0x13 AH=0x43 (Extended Write) to write the memory contents directly back to the boot drive starting at LBA 64.
  1. stage1.asm is a 512-byte boot sector. It initializes segment registers, sets up the stack, and uses Extended Read (INT 0x13 AH=0x42) to load stage2 from LBA 1 into memory at 0x8000. Then it jumps to stage2.
  2. stage2.asm performs the main logic:
    • Queries the BIOS for EDD (Enhanced Disk Drive) support.
    • Gets the memory map using INT 0x15 E820.
    • Calculates the maximum RAM size.
    • Loops through RAM in 32KB chunks.
    • For each chunk, it switches to unreal mode to copy data from high memory into a low memory buffer (0x90000).
    • Writes the 32KB chunk to disk using Extended Write, starting at LBA 64.
    • Prints a progress percentage on the screen.

This tool writes raw data directly to the boot drive starting at Sector 64! If you write this to a USB drive containing important data, the RAM dump will overwrite whatever is present at LBA 64 and beyond. Use a dedicated, blank USB flash drive for this purpose.

You will need NASM installed to compile this project.

On Windows, run the provided build script:

On Linux, you can run:

nasm -f bin stage1.asm -o stage1.bin
nasm -f bin stage2.asm -o stage2.bin
cat stage1.bin stage2.bin > boot.bin
  1. Build the project to generate boot.bin.
  2. Write boot.bin to a USB drive (e.g. using dd on Linux/macOS, or Rufus / Win32DiskImager on Windows).
    • Note: Make sure your USB drive has enough space to hold your system's RAM.
    • Example (Linux): sudo dd if=boot.bin of=/dev/sdX bs=512
  3. Boot your target PC from the USB drive (ensure Legacy BIOS / CSM boot is enabled).
  4. Wait for the dump to complete (it will show 100%).
联系我们 contact @ memedata.com