BareMetal RAM Dumper
A simple x86 bare-metal tool designed to boot from a disk/USB and dump the system's RAM directly to the booting medium. It relies on BIOS interrupts to boot and perform disk operations, and enters unreal mode to access memory above the 1MB barrier.
Background: Cold Boot Attacks ❄️
This tool was originally developed and successfully tested for experimenting with Cold Boot Attacks. By freezing a laptop's RAM (down to -60°C) and quickly rebooting from a USB drive containing this tool, it is possible to dump the frozen memory contents to the disk before the data decays, allowing for the extraction of sensitive information like encryption keys.
Features
Custom Bootloader: Boots directly from the BIOS (Legacy CSM). No OS required.
Boots directly from the BIOS (Legacy CSM). No OS required. Unreal Mode: Switches temporarily to unreal mode to access and read 32-bit physical memory addresses.
Switches temporarily to unreal mode to access and read 32-bit physical memory addresses. Memory Map parsing: Uses BIOS INT 0x15 E820 to detect valid RAM regions and avoid dumping reserved memory or memory-mapped I/O.
Uses BIOS to detect valid RAM regions and avoid dumping reserved memory or memory-mapped I/O. Direct Disk Write: Uses BIOS INT 0x13 AH=0x43 (Extended Write) to write the memory contents directly back to the boot drive starting at LBA 64.
How it Works
... continue reading