Watch the stream
This talk will expand on concepts explored in my NSEC 2025 talk "Stolen Laptops : A brief overview of modern physical access attacks"
We will deep-dive into the subject of Direct Memory Access attacks against modern windows operating systems, exploring together some of the primary countermeasures employed to protect computers from physical attackers.
Notably, we will discuss the implementation and interaction of various defensive technology at the physical, firmware, and operating system layers.
This includes things like UEFI security, hardware whitelisting, firmware DMA protection and virtualization features (VT-d, VT-x, AMD-Vi), and their interaction with critical OS layer protection mechanisms including Virtualization-Based Security (VBS) and Kernel DMA Protection. We will discuss techniques used by attackers to neutralize or bypass these mechanisms to enable a DMA attack against Windows 11.
The talk culminates with an in-depth presentation of a novel tool I developed called DMAReaper. The tool allows attackers with physical access to Disable Kernel DMA Protection via a pre-boot DMA attack even when a system has all modern protection mechanisms enforced.
We will discuss the research that supported the tool's creation and the precise operations being performed against system RAM in order to locate and destroy the DMAR ACPI table required for Kernel DMA Protection to function. This talk includes a multiple video demonstrations of the tool being used to compromise a modern workstation running Windows 11.
Pierre-Nicolas Allard-Coutu Senior Penetration Tester, Bell Canada
Pierre-Nicolas Allard-Coutu is a senior penetration tester and offensive security R&D lead at Bell Canada's Security Testing and Incident Response team (STIRT). He is a seasoned red team operator with many years of experience specialized in the development of malware payloads and payload delivery systems. More recently, he has spearheaded the creation of physical penetration test methodologies including novel exploitation techniques aimed at compromising UEFI pre-boot environments and enabling Direct Memory Access vectors against modern laptops. He is currently the top public contributor to the Quebec Government Cyber Defense Center's vulnerability disclosure program, and part of the HackFest Challenge design team. The type of person who could never resist placing "><script>alert(1);<!-- in his bio.