F-Response v8, and the new physical memory unsafe target

Mar 11, 2019

 

F-Response has included support for Windows Physical Memory since 2009, and during that time we've made only a few tweaks to how we access that memory in an effort to keep the remote subject as stable as possible.

However, in the recent months we've had a couple of customers reach out to indicate the physical memory they're accessing with F-Response is coming back with large portions containing only zeros.

The long and short of this simple, some hardware (physical and virtual) providers have bios memory reservations that result in too much of physical memory being marked as off-limits by F-Response.

We've provided some additional details on what to do if the remote machine is a virutal machine in our "Hotadd Memory" blog post, see Hot Add Memory and Physical Memory, however, starting with v8 of F-Response we've added a second option to bypass our safety overlay entirely.

You will find a new target called "pmem-unsafe" that offers access to physical memory without that overlay. You are welcome to use that target, however, we ask that you keep in mind it may result in a loss of system stability on the remote machine. We recommend only using it in instances where the pmem target is insufficient to meet your needs.

Thanks! We hope the new option helps in those rare instances where our safety controls make it difficult to get to what you need.

Warmest Regards,

M Shannon, Managing Principal
F-Response
March 11, 2019