I am currently looking for cool & interesting university or college course. If you have any information, feel free to contact me..


26Feb

SandMan 1.0.080226 is out!

Articles, Programming, Reverse Engineering, Windows

Since Windows 2000, Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine. One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors: The first one is (live?) forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? That’s how the idea of SandMan born. The second one is a new (ou pas) concept we will be introduced and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

sample 2

SandMan was firstly introduced at PacSec, Japan in November 2007, slides are available in the SandMan section.

* SandMan provides a C Library and a Python portage.

Here is a sample of implementation in Python.

  1. #!/usr/bin/python
  2. #
  3. #
  4. #Module Name:
  5. #
  6. #    sample1.py
  7. #
  8. #Abstract:
  9. #
  10. #    - Display target version.
  11. #    - Build a physical memory dump from a hibernation file.
  12. #
  13. #Environment:
  14. #
  15. #    - Python
  16. #
  17. #Revision History:
  18. #
  19. #    - Matthieu Suiche
  20. #
  21.  
  22. import sys
  23. import sandman
  24.  
  25. if len(sys.argv) != 3:
  26.         print "Matthieu Suiche - http://sandman.msuiche.net/"
  27.         print "Usage: sample.py hiberfil.sys physical_dump.vmem"
  28.         sys.exit(1)
  29.  
  30. s = sandman.hiber_open(sys.argv[1])
  31.  
  32. ver = sandman.hiber_get_version(s);
  33.  
  34. print "Windows version %d.%d.%d\n" % (ver & 0xFF, (ver & 0xFF00) >> 8, ver >> 16)
  35.  
  36. print "Generate physical memory dump…"
  37.  
  38. sandman.hiber_dump(s, sys.argv[2])
  39.  
  40. print "Done."
  41.  
  42. sandman.hiber_close(s)


* Furthermore, SandMan is open-source and released under GNU General Public License v3, you can have further information on the Google SVN at the following link:
http://code.google.com/p/sandmanlib/.

* Actually, SandMan supports 32bits version of the hibernation file from Windows XP to Windows 2008 Server

To download SandMan, go to the section dedicaced to SandMan here:
http://sandman.msuiche.net/.

add comment

Tuesday, February 26th, 2008 at 9:31 pm and is filed under Articles, Programming, Reverse Engineering, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “SandMan 1.0.080226 is out!”

  1. codefoo says: Posted on Wednesday 27th February

    amazing job !

  2. PLM says: Posted on Wednesday 27th February

    Great man, the world is yours…

  3. Matthieu Suiche’s blog ! » Physical memory access is fashion… says: Posted on Tuesday 4th March

    […] second one was SandMan which is hosted by myself. This one was released 4 days later the University of Princeton proof of concept and give read/write permission to physical […]

  4. Mohamed Mansour says: Posted on Tuesday 4th March

    Very nice! good work m8

Leave us a comment