Sandman shell. Your hibernation file in a nutshell. – Part I

I’d like to introduce a new tool I plan to release later. This tool aims at providing a local shell to explore the windows hibernation file like windbg, or livekd can do with crash dump using SandMan framework.

The most interesting point regarding the usage is the loading of Microsoft Debugging Symbols to retrieve critical structure like EPROCESS, ETHREAD on every target file version — and also unexported functions and variables offset. Moreover, Symbols are downloaded automatically if they aren’t found on the local host.
Another interesting point is: we behave like if we were the kernel or a kernel debugger like Windbg, then we can retrieve a lot of information. Only a little bit of them are actually implemented!

For instance, this mean we can list process from a Windows XP hibernation file, as well as from a Windows 2008 hibernation file. And also print additional information regarding critical system tables like Interrupt Descriptor Table (IDT), or System Service Dispatch Table (SSDT) which can be use to detect anormal modification from third-part drivers like a Rootkits.

We can also imagine a new way to unpack executables like malwares.

Here are some screenshots of the current commands.

Of course, you can still generate a raw dump from the shell to make an interoable dump with existing framework like volatility.

I plan to integrate my disassembling library to detect anormal patching, or give a quick view of a process stack to detect if a shellcode is present or not. And I’d also like to extend it to Microsoft Crash dump files generated by a more advanced version of win32dd :-).

If you want to become a beta tester, or if you know a pretty single girl to introduce to me feel free to mail me at: matt (pouet)

Random notes: