Some months ago we wrote a blog post about physical memory limits in all Microsoft Windows 32 bit builds along with a test application able to install a bootkit in the system. This bootkit enables the operating system to exploit all available memory above 4 GB (up to 64 GB, using PAE technology). However the previous application was just a test release. We have received many e-mails about it, so we’ve decided to release an improved build of this bootkit.
Compared to the previous build, this major release brings new features like:
- UEFI Compatibility: build up from scratch, similar code to the x64 Windows 8 Bootkit project. Windows 8 x86 installations in UEFI environment share the same memory limitations of old x86 Windows versions. Now X86 Memory bootkit is able to work even in a UEFI environment and bypass 4 GB memory limit
- VBR Setup type: Due to incompatibilities between memory bootkit and custom/branded MBR code, we have switched to a brand-new setup routine. Now the bootkit is installed to the system Volume Boot Record code (only NTFS partition type), in a less-intrusive way. VBR setup can fix many incompatibility issues as it leaves the boot manager code separated from the bootkit code
- Compatible bootkit: We developed a new bootkit startup code with the aim to resolve Windows activators incompatibilities and to introduce multi-os support. The new bootkit is now able to start on each Windows version of a multi-OS workstation without the request to be reinstalled on each OS
- System analysis and reports: New feature that analyzes system drive’s startup areas before installing the bootkit. If some part of the boot code is unknown/unexpected to the tool, the setup routine stops the installation and warns users about potential compatibility issues. User can decide to turn off this warning. Setup application can furthermore generate full system reports. You can even decide to provide us with a log report so that we can get back to you with a feedback
- Improvements and Bug fixes: A lot of bugs are resolved. Noteworthy is real mode segment issue, that will lead to incompatibilities and slowdowns on some particular notebooks. Fixed USB keys and removable devices removing procedure bug, fixed boot disk device lookup (done starting from BCD data).
- New graphical interface: A new modern graphical interface was (re)designed with the aim to be more handy and easier for users.
Screenshot of new Saferbytes X86 memory bootkit
PHYSICAL MEMORY – ONE BRIEF CONSIDERATION
Physical memory in Microsoft Windows is being managed in a different way than virtual memory. VMM unit is a huge module in Windows and to describe it in a exhaustive way an entire book would note be enough.
In each Windows installtion, the total amount of physical memory is detected by calling the kernel function MmInitSystem called with first argument (phase number) set to 0. MmInitSystem, called from phase 0, calls MmInitNucleus. As we have already seen in the previous article, this procedure contains is the “core” of the memory management initialization (and even license checks). MmInitSystem obtains hardware-related data (like total amount of physical memory), initializes base VMM data and paging structures, and then calls MiCreatePfnDatabase. The last procedure creates and maps Page Frame Number database, used by the system to track physical memory pages usage.
Here is what we would like to investigate in this article: indeed Windows uses PFNs to successfully manage all physical memory. A process working set is defined as a subset of the physical memory pages used by that specific process.It is the part of memory of a process that is resident in physical memory. There are several processes running together in a live system. So Windows has to manage several process working sets relying in different address spaces. Furthermore VMM has to manage even memory paging, mapped section object and other critical routines.
In this analysis we don’t want to spend too much effort on them (the book “What Makes It Page?: The Windows 7 (x64) Virtual Memory Manager” written by Enrico Martignetti is definitely one of the best books about the topic), however keep in mind that all these features (together with many others) need to have a database of physical pages. Each PFN is linked to a particular list of pages. Indeed each page in physical memory could belong to one of the following 5 lists (honestly there are also at least 2 others subtype lists: modified-no write and transition, though we are not interested about them right now):
- Active – An active page maps a valid virtual address (kernel or user, where the latter belongs to a working set, and the former not necessarily) and one or more PTEs points to it.
- Modified – A page that previously belonged to a Working set, but now is removed from it (due to working set trimming or aged page). The content of the page has not been saved to external storage, so the page can’t be reused until this happens.
- Standby – A page that was previously in modified list, but now has been successfully written to disk (paging file) by Modified Page Writer thread. The page can be reused if VMM needs it. However, as long as the page is in this state, its content is still valid and the PTE still points to it (even if is invalid), like in the modified case. Standby list is prioritized by Superfetch, in last Windows releases (starting from Windows Vista)
- Free – Page contains dirty data in it but can be reused because no PTE points to it. When VMM have to reuse a page on this list, it must fill with zeroes (due to C2 security rating).
- Zeroed – Page is free for use, no PTE points to it and is also already initialized with zeroes
Process explorer showing system PFN Database
Each PFN entry in the database contains different data for each different page list. For instance a PFN relative to an active page differs from a PFN of a modified page. Windows Internals book describe each PFN type. You could examine each PFN entry with a kernel debugger (!pfn command). Here an interesting thing: PFN database is always present in physical memory, actually Windows can’t page this database out. Its size can change and depends on:
- Target platform architecture (x86, x86 with PAE, AMD64), whole hardware physical address lines, and virtual address size (8 bytes on AMD64 and x86 with PAE)
- Size of total installed physical memory (more memory means more PFN in dataset)
An original x86 PFN entry is 24 bytes in size, an x86-PAE PFN is 28 bytes (due to increased PTE size), and an AMD64 PFN is 48 bytes.
Our test system was equipped with 24 GB of DDR3 RAM. After some tests we can say that our x86 PAE operating system needs 168 Mbytes of continuous memory to correctly map and use entire physical memory, to maintains only physical memory structures, not considering paging structures (24 GB / 4 Kbytes page size = 6’291’456 pages * 28 bytes per PFN entry = 144 MB). A 64 bit Microsoft system will use 288 Mbytes (24 GB / 4 Kbytes page size = 6’291’456 pages * 48 bytes per PFN entry = 288 MB).
PFN analysis done in x86 non-PAE Windows XP
We now know that more memory needs more data structures used to keep track of it, and this depends either on architecture, memory size, and either on memory related OS data structures (PFN database is a software concept needed by the OS to correctly manage processes, threads, and paging). Thus we demonstrated that 32 bit PAE operation systems 4 GB limit is entirely a software limit, because showing an x86 PAE PTE, (linked also in PFNs, in OriginalPte field) pinpoints that PFN software field bits are much more than 20 (as confirmed by Intel manual “System programming Guide”, chapter 4.4)
VMM component in an operating system is a very interesting topic, way worth some further investigation if you want to deeply understand how your OS is able to map and manage physical memory.
BOOTKIT USAGE
Let’s go back to our Memory bootkit. Here we describe some hints, tips and tricks for installation, uninstallation and issues handling
INSTALLATION
Install x86 memory bootkit in a classical way (option 1 – MBR Setup) only if there isn’t any boot manager installed in your system (like Acronis OS Selector, Yamsisoft, GRUB, etc..). Otherwise just use VBR Setup type (option 2). If you would like to enable bootkit for more than one Microsoft x86 operating system click on “Bootkit options” in File menu and enable “ONLY compatible” Bootkit program type. In this way bootkit should work on every installed Microsoft OS.
The “Ignore system MBR type analysis” setting is used if the MBR installation procedure is unable to detect standard Microsoft MBR code sector and stops the installation with an error like “Unable to find Original Windows Mbr on “.PhysicalDriveX“. I will stop installation procedure..”. If this setting is flagged, bootkit will be installed and will use sector 0 as standard MBR code. Don’t enable this unless you really know what you are doing, because it can break the system boot up routine.
UNINSTALL
For memory bootkit removing, just run again the installation tool. At the tool startup, it detects the bootkit presence, and shows proper options to remove it from the system. The same is for USB pen drive: ignore the always-present option “Make a bootable floppy or pendrive” as the tool will anyway detect that the bootkit has been installed on the USB pendrive and it’ll remove the code from there.
If for any reason the system doesn’t boot anymore, users can remove Memory bootkit using Windows installation DVD. After booted from the Windows Installation DVD, open a command prompt and write the following commands:
bootrec /fixmbr – in case of a classical MBR installations OR
bootrec /fixboot – in case of VBR installation (option 2 when installed the bootkit)
Then just restart the system. The bootkit should be definitely gone
REPORT
Whether something goes wrong and user wants to investigate, Setup application can generate a system report that dumps system information, loaded drivers, Master boot record sectors, System boot partition Volume boot record, and other details. User can generate this report with “Generate System Report” command found in Help menu. When the generation routine ends, user will be asked whether he would like to send report to Safebytes for further analysis.
DISCLAIMER
This software and its documentation are free and come “as is” with absolutely no guarantee and no support. The software is just for research purposes and it must be used only on testing environment. This software could potentially break your operating system by overwriting the Master Boot Record and/or the Volume Boot Sector, thus preventing it from actually running. Don’t use this software unless you know exactly what you are doing. If you accept this, download the tool from the following link: DOWNLOAD
Could you make this work with XP? A lot of companies still use windows XP and the 4gb wall is very limitating for some patterns of use (e.g. virtual machines).
I can beta test it for you, if it helps saving your time.
Thanks
Hi Andrea
Whats difference between Beta 1 and Beta 2 ?
regards
Hi Anto & Mike!
@Anto: No, unfortunately We don’t plan to make it works with Xp. Xp physical memory limit code is more spread in Kernel. Exploiting it leads us others lot of hours of reversing, modification and testing. Is this effort valuable for an ancient operating System like Xp??? Keep in mind that even if we took much time for developing Bootkit (and its Setup program), this remains a free tool.
@Mike: No differences between them. Beta 1 is a testing version, Beta 2 is the same version that is resulted stable. Only exception is Secureboot detection code, added for more security (our bootkit is not compatible with SecureBoot)
Hope this help.
Regards
Ciao Andrea! L’ho installato ma mi ha crashato il sistema al riavvio! schermata blu e l’ho risolto solo con il ripristino di sistema ad un punto precedente. Esiste un tool per la rimozione delle cose ha installato o modificato? grazie
Si se leggi la guida troverai che utilizzando il DVD di Windows puoi rimuoverlo tranquillamente…
bootrec /fixmbr OPPURE
bootrec /fixboot
Comunque il tuo problema dipende da un driver. Puoi usare il tool e generare un report.
Regards
Dear Andrea,
I followed the blog since December and have tested the first version without success. I have just tested the new version on my Lenovo x201t. It works perfect when I uninstall graphics driver “Intel HD Graphics” (resulting in VGA-Resolution which is a pain – but remote desktop will do the job for testing at the moment).
I like this approach starting the bootkit in a very flexible way from SD-Card on demand very much and it works very stable besides the driver issue!
You mentioned in the previous blog that “Only certainly rare kinds of drivers does not work with this huge available Physical Address space (like Intel old HD Graphics ones)”
Have you tested the new ones? I have tried:
Intel HD Graphics 8.15.10.2622 from 10.01.2012 (provided by lenovo)
Intel HD Graphics 15.22.57.2827 from 10.08.2012 (provided by Intel)
None of them works. When windows boots it crashes when loading the graphics driver with a black screen and no hard disk activity anymore.
Here is my System Information for the graphics card:
Name Intel(R) HD Graphics
PNP Device ID PCIVEN_8086&DEV_0046&SUBSYS_215A17AA&REV_023&33FD14CA&0&10
Adapter Type Not Available, Intel Corporation compatible
Adapter Description Intel(R) HD Graphics
Adapter RAM Not Available
Installed Drivers igdumdx32.dll,igd10umd32.dll
Driver Version 8.15.10.2622
INF File oem103.inf (iILKM0 section)
Color Planes Not Available
Color Table Entries Not Available
Resolution Not Available
Bits/Pixel Not Available
Memory Address 0xF2000000-0xF23FFFFF
Memory Address 0xD0000000-0xDFFFFFFF
I/O Port 0x00001800-0x00001807
IRQ Channel IRQ 0
Driver c:windowssystem32driversigdkmd32.sys (8.15.10.2622, 10,36 MB (10.859.520 bytes), 10.01.2012 22:18)
Do you have any recommendation or can tell me which version was successful in your case? Can this be a BIOS-issue or driver settings?
Regards
Horst
@Horst
blame Intel for their buggy drivers.
Tried latest build, it works a short time. After that, just bootloop. Even I cannot see logo of loading screen. It’s something like “restarting loop”.
My PC:
Motherboard: GA-MA78LMT-S2
CPU: AMD Phenom II X4 955 Black Edition 3.2 GHz
Memory: KINGSTON KHX1600C9D3B1K2/4GX 1600 MHz (2x2GB RAM)
HDD: SAMSUNG HD103SJ
GPU: Sapphire Radeon HD5670 512MB DDR5
Hi All!
@Horst: Yes, I know that some Intel drivers have bugs that hinder Bootkit usage. The most you can do is to try to download and use the last Intel drivers for Windows Server 2008. WS2008 indeed use the SAME kernel of Windows Vista/Windows 7 BUT without memory limits. That’s all I can say now, because I don’t have time to disassemble that drivers..
@Cristian: Unfortunately you have quite the same drivers issue. Based on my tests, AMD drivers don’t misbehave on large memory system. You can do some things: 1. Install last AMD driver and replace old ones; 2. Generate and send bootkit report to us before install it (attached with application Log is better). 3. Disable automatic restart on system failure (with F8 menù): generated BSOD will help to pinpoint guilty driver.
Hope that this help
Andrea
Grazie per il lavoro che hai condiviso.L’ho installato su un windows 7 con 4 gb di ram.Funziona tutto. Ma come faccio a verificare l’effettivo utilizzo di tutti e 4 i gb?l’indicatore di windows è attendibile o non può essere modificato?
Ciao! Si l’indicatore interno del Task manager sembrerebbe attendibile (dovresti guardare l’indicatore della “Total Physical Memory”). Per fare una verifica significativa potresti usare inoltre “Testlimit” di Sysinternals. Lo puoi trovare qui: http://download.sysinternals.com/files/TestLimit.zip.
Eseguilo con parametro “-a” in una console aperta con l’account “System” (dopo aver scaricato i PsTools di SysInternals eseguila così: “psexec -sid cmd.exe”). Il tuo sistema dovrebbe essere in grado di allocare quasi tutti i 4 GB di ram…
Buona serata!
Andrea
Ciao,
ho provato ha installare la tua patch. Con gestione risorse vedo tutti i 4Gb di ram, ma se lancio l’utility testlimit come descritto, da questo risultato:
c:utilitiestestlimit>Testlimit.exe -a
Testlimit v5.22 – test Windows limits
Copyright (C) 2012 Mark Russinovich
Sysinternals – http://www.sysinternals.com
Process ID: 340
Allocating AWE memory…
Allocated 2347 MB of AWE memory. Lasterror: 1450
Risorse di sistema insufficienti per completare il servizio richiesto.
Ok, chiedo venia, 2347 Mb dovrebbe essere corretto, perché ho un sacco di altra roba aperta. In effetti così arrivo ad occupare quasi tutti e 4Gb! Notevole!
Una cosa volevo chiedere: se il sistema si avvia correttamente è tutto ok, o potrei avere qualche problema random in futuro? come posso testare bene il sistema?
Saluti,
Massimo
Dear Andrea,
thanks for the hint with driver for windows server OS. Unfortunately, I could not find one for my lenovo laptop. I finally came across another thread with PAE driver issues for another approach which directed my to windows xp drivers. After several fails I managed to install a windows xp driver for my lenovo x201t (with Intel HD Graphics).
The driver is:
Mobile Intel 4 Series Express Chipset Family version 6.14.10.5420 from 23.07.2012 (provided by Intel)
Here is my System Information for the graphics card:
Name Mobile Intel(R) 4 Series Express Chipset Family
PNP Device ID PCIVEN_8086&DEV_0046&SUBSYS_215A17AA&REV_023&33FD14CA&0&10
Adapter Type Intel(R) HD Graphics (Core i5), Intel Corporation compatible
Adapter Description Mobile Intel(R) 4 Series Express Chipset Family
Adapter RAM 1,24 GB (1.335.715.840 bytes)
Installed Drivers vga.dll,framebuf.dll,vga256.dll,vga64k.dll
Driver Version 6.14.10.5420
INF File oem122.inf (iCNT0 section)
Now everything works as expected. The latop is much more responsive even with several virtual machines running (No swapping and no more waiting when switching applications). A great feeling!
I hope that this information helps other users to successfully run this bootkit.
Thank you very much for your solid piece of work!
Regards
Horst
Thank you Horst for information!
Your sharing is very very useful for us and for each other readers.
Regards,
Andrea
@Horst
are you under windows 7 or windows 8 ?
@Mike
I run Windows 7 professional. I have no experience with windows 8 unfortunately. I need 32-Bit windows because several HW-Drivers for embedded systems programming do not work with 64-Bit.
bootkit fully worked on my windows 8 professional, but it is not work on windows 8 (windows 8 core)
i have following problem on my windows 8 (windows 8 core)
1 : windows never boot after installing bootkit (both 1 & 1.20 beta 2)
it is worked only immediate restart , but os not boot after a shutdown
2 : there is no change in graphics
3 : there is no change in windows experience index before and after installing bootkit
i am using windows 8 9200 from msdn, and is not cracked with any loader
my system details
windows 8 core
ASUS P8H67-M (with latest bios and drivers)
intel i5 2500 (3.3ghz)
4x4gb ddr3 ram (total 16gb)
1gb nvidia 210
i have some suggestion
1 : there is no command line (i want to integrate as setupcomplete.cmd)
2 : add a provision to automatic close,after installing bootkit
i hope you will reduce this problems on next version
I installed your new version now on my primary system, which is an ASUS X71TP notebook with Win7 Home x86 and it works fine so far.
The only difference I noticed is that when switching power-on or rebooting, it always behaves like this now:
-First my normal AMI boot screen
-then for some seconds a blinking “_”
-then it reboots (again the AMI screen and power-on sound)
-then Win7 boots as it should
But once the system is started, it works perfect with fhe full 4 GB. I tried a game that before run a bit slowly because it used all available RAM, now with 750 MB more it runs signifficantly better. No problems with graphics or other drivers so far :).
it is not work on windows 8 (windows 8 core)
We have not tested Memory bootkit for Windows 8 Core. Where did you get Core edition?
> Where did you get Core edition?
In MSDN download ISO “Windows 8 Pro” and “Windows 8 Core” is included.
But “BootKit” don’t work with Windows Blue (Windows 8.1). Perhaps of new Kernel version no. 9201 ?
all windows 8 iso contains two editions they are windows 8 pro and windows 8 core , if add windows 8 core key, you can install windows 8 core
or
just add a “ei.cfg” file in source folder of your windows 8 iso, you can install both editions without product key
“ei.cfg” contains text as below
[Channel]
Retail
[VL]
1
> all windows 8 iso contains two editions
That’s wrong.
If you download “Windows 8 Pro” via Microsoft download you get an ISO which only include “Windows 8 Pro” – not “Windows 8 Core”.
If you download “Windows 8 Enterprise” 90-day trial version you get an ISO which only include “Windows 8 Enterprise” – not “Windows 8 Pro” nor “Windows 8 Core”.
I can confirm that “BootKit” works with Windows 8 Core.
Ciao,
I have win7 32bit installed with software RAID 1. Are there any issues about that? I get these errors:
Saferbytes X86 Memory Bootkit 1.2.0 Beta 2 Log File
Execution time: 15/04/2013 – 11:11
11:11:48 – CSystemAnalyzer::GetStartupPhysDisk – Found system boot disk device number #0.
11:11:48 – CBootkitMbrSetup::GetBootkitState – x86 Memory bootkit not found on MBR of “\.PhysicalDrive0”.
11:11:48 – CBootkitMbrSetup::IsBootkitInstalledInVbr – Unable to find NTFS bootable partition on disk “\.PhysicalDrive0”.
11:11:50 – CBootkitMbrSetup::IsStandardMbr – Found a standard Windows MBR Sector on drive 0.
11:11:50 – CBootkitMbrSetup::GetBootmgrVolume – Unable to get disk extents for \?Volume{1a3514ce-a08f-19e2-ab38-b4b52fab3ead} Volume, last error: 234
11:11:50 – GetBootkitTypeForSystem – Unable to get Boot Volume name and Number. GetBootmgrVolume has failed!
11:11:50 – MbrInstallBootkit – Detected non-standard Windows Loader on this System. I’ll use Compatible Bootkit type (no Bootmgr signature needed).
11:11:51 – CBootkitMbrSetup::GetBootkitState – x86 Memory bootkit not found on MBR of “\.PhysicalDrive0”.
11:11:51 – CBootkitMbrSetup::IsBootkitInstalledInVbr – Unable to find NTFS bootable partition on disk “\.PhysicalDrive0”.
Instead I tried a fake-soft RAID managed by the BIOS and have no troubles.
thanks,
alessio
Hi
is it possible that bootkit does not work with a Windows SoftRaid Mirror installed?
Thanks,
alessio
E su Windows Vista Business funziona pure?
Attualmente sulla mia macchina fisicamente ho 12 Gb di Ram ma nel Task manager alla voce “Memoria fisica (MB) Totale trovo scritto 2557.
Pensi che posso risolvere il problema così o devo proprio e per forza passare ai 64 b del sistema operativo?
Grazie mille
@Alcnr: Significa che hai lo stesso problema di tutti i sistemi a 32 bit. Il tuo PC sfrutta solo 2,5 GB di RAM e lascia i restanti 9,5 GB inattivi. Il nostro Bootkit è compatibile anche con Windows Vista. Provalo su una chiavetta, fai il Boot da quella e vedrai… Poi se tutto funziona installalo sul tuo hard disk…
@Alessio: Actually it should work with Windows Dynamic disks, but we haven’t done deeper tests with them… What does “Windows SoftRaid Mirror” mean? Dynamic Disks in mirror mode? Or is it a particular application?
Andrea
Ciao
no, it means stadnard windows configuration: two disks, mirrored by windows’ OS. The strange thing is that it seems working when the raid is done through the BIOS, with fake-hardware chipset.
thanks,
alessio
Does not seem to work for me on Win 7 Sp1 Home Prem. Bootkit seems to install OK but does nothing after reboot. If force enable PAE and disable NX bit it BSODs halfway through boot.
I’m using an old Xeon 32bit CPU with 8GB Ram. Does the bootkit assume hardware NX bit support?
Log:
11:53:59 – CSystemAnalyzer::GetStartupPhysDisk – Found system boot disk device number #0.
11:53:59 – CBootkitMbrSetup::GetBootkitState – x86 Memory bootkit not found on MBR of “\.PhysicalDrive0”.
11:54:09 – CBootkitMbrSetup::IsStandardMbr – Found a standard Windows MBR Sector on drive 0.
11:54:09 – CBootkitMbrSetup::GetBootmgrSignature – Found Windows Bootmgr on “\.Volume{087d20a3-af50-11e2-97e9-806e6f6e6963}bootmgr”.
11:54:09 – CBootkitMbrSetup::GetBootmgrSignature – Successfully obtained 0x60D82C6F Bootmgr signature (0x96 first byte) for current system…
11:54:09 – CBootkitMbrSetup::MbrInstallBootkit – Successfully written original Mbr in sector 0x00000012.
11:54:09 – CBootkitMbrSetup::GetBootmgrSignature – Found Windows Bootmgr on “\.Volume{087d20a3-af50-11e2-97e9-806e6f6e6963}bootmgr”.
11:54:09 – CBootkitMbrSetup::GetBootmgrSignature – Successfully obtained 0x60D82C6F Bootmgr signature (0x96 first byte) for current system…
11:54:09 – CBootkitMbrSetup::WriteBtkProgram – Successfully written bootkit program in sector 0x00000010.
11:54:09 – CBootkitMbrSetup::MbrInstallBootkit – Successfully written new bootkit Master Boot Record.
11:54:13 – CBootkitMbrSetup::GetBootkitState – Found x86 Memory bootkit signature on MBR of “\.PhysicalDrive0”.
11:54:13 – CBootkitMbrSetup::GetBootkitState – AaLl86 bootkit found installed and active on “\.PhysicalDrive0”.
11:54:16 – Execution Ended!
Getting further now. After an update of the C-media sound card driver it does actually boot. Probably a bios limitation but I see 7.5 -> 7.87GB free ram depending on the AGP aperature setting.
The system seems somewhat sluggish with graphics when the hack is applied but I’m impressed the boot loader works at all with this old dinosaur of a PC.
@Krobar: You are confusing…
Memory bootkit actually requires an enabled NX support (and PAE) processor. If your configuration doesn’t support PAE and NX bit you can’t use more than 4 GB of Memory in your 32 bit OS….
Ottimo,mi funziona benissimo con win 7 e win 8.
Per il caro Win xp non c’e’ niente da fare?
Grazie
bistingo
I have Old laptop Lenovo 3000N100 with T5600 double core processor 64 bit support PAE and NX extension but bootkit do not run. I have windows 8 enterprise, the same as my Asus laptop i7 where bootkit run fine. I saw somewhere this may come from the graphic drivers ? but Lenovo come with the old Intel GMA 950 / 945PM Mobile Intel. Or may be the bios ? I don’t know, if you have any clue I thank you so much 🙂
I used bootkit for 3 months and Updating windows 8 yesterday and Bug… Now Laptop reboot and freezing or rebooting alone many time… I have to disable bootkit to reboot withoit freezing… I dont know if I can re-enable it now ?
OK I re-enabled bootkit on my laptop and all seem to be OK. I think the problem come from bad move from myself because I intalled bootkit as first partition and I have to install it as 2nd… trouble is done.
Hi! I’ve tried but it’s not working.
Here’ the log file:
Saferbytes X86 Memory Bootkit 1.2.0 Beta 2 Log File
Execution time: 09/04/2014 – 11:22
11:22:03 – CSystemAnalyzer::GetStartupPhysDisk – Found system boot disk device number #0.
11:22:03 – CBootkitMbrSetup::GetBootkitState – x86 Memory bootkit not found on MBR of “\\.\PhysicalDrive0”.
11:22:12 – CBootkitMbrSetup::VbrInstallBootkit – Successfully written bootkit starter program on sector 0x00000010 of drive “\\.\PhysicalDrive0”.
11:22:12 – CBootkitMbrSetup::GetBootmgrSignature – Found Windows Bootmgr on “\\.\Volume{2186475e-a5e0-11e3-9712-806e6f6e6963}\bootmgr”.
11:22:12 – CBootkitMbrSetup::GetBootmgrSignature – Successfully obtained 0xFEC03136 Bootmgr signature (0xBF first byte) for current system…
11:22:12 – CBootkitMbrSetup::WriteBtkProgram – Successfully written bootkit program in sector 0x00000011.
11:22:12 – CBootkitMbrSetup::VbrInstallBootkit – Successfully updated bootstrap code of system NTFS boot partition.
11:22:15 – CBootkitMbrSetup::GetBootkitState – x86 Memory bootkit not found on MBR of “\\.\PhysicalDrive0”.
11:22:15 – BootkitVbrSetup – Found an active and valid AaLl86 x86 Memory Bootkit (sector 0x00000010) linked to System boot partition of disk “\\.\PhysicalDrive0”.
Saferbytes X86 Memory Bootkit 1.2.0 Beta 2 Log File
Execution time: 09/04/2014 – 11:30
11:30:41 – CSystemAnalyzer::GetStartupPhysDisk – Found system boot disk device number #0.
11:30:41 – CBootkitMbrSetup::GetBootkitState – x86 Memory bootkit not found on MBR of “\\.\PhysicalDrive0”.
These are truly impressive ideas in concerning blogging.
You have touched some fastidious points here.
Any way keep up wrinting.
The bootkit is being detected by Avast antivirus as a rootkit: Mebustra-A.
I’ve already reported it as a false positive but they seem VERY slow in updating their definitions.
Is there any workaround that would allow me to keep the 8GB bootkit and Avast AV working together?
I’ve already attempted excluding the EXE but to no avail…
I have the same problem with Avast Free AntVir since the “MBR:Mebusta-A [Rtk]” shows up in VirusUpdate 140619-0. The only way is to deactivate the RootKit-Search. But that is counterproductive and not a workaround. The EXE is only a configuration-program for the MBR and is not detected as malware on my system.
Did you get any reaction from Avast on your report as false positve?
No, no response from AVAST to date :(.
The AV has stopped nagging me though after I told it to ignore this file in future… I had to tell it to ignore the file MULTIPLE times over a few days before it stuck…
I opened a ticket on Avast-Support (German department) on July 7th reporting a false positive and explained my reasons for installing the bootkit. Today I received the answer “they checked the file in their laboratory and adapted their virus-database”. I checked for rootkits today and got no “Mebusta-Message”. The database now is 140716-0. Check your database number and tell me, if the message has gone.
Purtroppo con W.8.1 non funziona, inoltre ha dimostrato totale incompatibilità con gli ultimi driver nVidia, corrompendo irreversibilmente il bootloader di Windows. Unica soluzione ripristino immagine sistema.
Hello, i sorru for my english.
Question : is it possible to install bootkit on windwos serveur 2003 standart edition ?.
tanks a lot.
Hello, i sorru for my english.
Question : is it possible to install bootkit on windwos serveur 2003 standart edition ?.
tanks a lot.
PS : it is windows serveur 2003 english 32 bits.
ciao andrea io ho come sistema operativo windows 8 .1 con architettura a 64 e non capisco come sia possibile che me la limita a 4 gb avendone realmente 8 . ho provato a usare il tuo tool ma non mi riconosce il sistema operativo , come potrei fare ? grazie
Nice respond in return of this issue with solid arguments and telling the
whole thing on the topic of that.
I am regular reader, how are you everybody? This article posted at this site is really pleasant.
Are there any plans to continue development of this tool for Windows 10?
great tool!
Can you explain the exact function?
Is it the same as the patch of PAE http://wj32.org/
Thank you
Ciao, il vostro sito è offline. C’è un modo per scaricare di nuovo il tool? Grazie
Ciao Andrea, il tool non funziona più, sia in modalità MBR, che VBR!
E’ un problema rimediabile? Grazie
Ciao Andrea, ti chiedo scusa, ma il memory bootkit funziona ancora alla grande!
E’ tutta colpa del controller Etron USB 3.0, che prima funzionava solo con i drivers 113 ed ora è andato in malora!
Ci ho messo un pò di tempo, ma alla fine l’ho capito XD
I just tried your software wanting access all available RAM in my Windows 7 Professional SP1 (build 7601) and it fuc*ed everything. I have following drive setup: C:FAT32 Windows 98, E: NTFS Windows XP and F:NTFS Windows 7. I could use Ranish Partition Manager to easily restore mbr, but also bcd is screwed and I don’t have backup to fully restore all boot options. Now only MSDOS part is booting, but there are problems with ntldr and bootmgr entries in bcd. Windows reinstallation is waiting.
@advanced user: You can directly edit your BCD with bcdedit, using the Windows 7 install disk, without having to reinstall your existing versions of Windows.
Insert the Windows 7 install disk, and choose the repair option, then make your way to the command prompt. From there, you can use bcdedit to directly edit your bcd. Go to the following link for more information. A little late, but I hope this helps.
https://msdn.microsoft.com/en-us/library/windows/hardware/ff541231(v=vs.85).aspx
Ho provato ad installarlo opzione 2 VBR ma con bootrec /fixboot anche se l’operazione ha successo il sistema continua a riavviarsi.
Sono riuscito a farlo partire con BOOTICE e modificare il boot in modalità provvisoria.
Il sistema parte ma come faccio a rimuoverlo? Ora sono rimasto bloccato in modalità provvisoria. E’ per caso un driver che parte al boot? come faccio a trovarlo e rimuoverlo manualmente visto che l’applicazione non lo sente già installato?
Scordavo di far sapere che il sistema operativo che uso è l’ultimo windows 10 ver. 1607 eng-us.