Category Archives: SandMan

Demystifying new Windows 7 System Information Classes

This post is the first of a serie of articles/blogposts about new System Information Class under Windows 7 (32bits ATM) used by both NtQuerySystemInformation and extended version of this API called NtQuerySystemInformationEx introduced in Windows 7 and Windows 2008 R2.

First of all, here is the prototype of these functions.

NTSTATUS (WINAPI *NtQuerySystemInformationEx)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PULONG QueryType,
ULONG Alignment,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

NTSTATUS (WINAPI *NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

As you can see there is two further arguments in NtQuerySystemInformationEx: QueryType and Alignment.

And here are new (and undocumented) system information classes added to Windows 7 that will be discussed in next blogposts.

// NtQueryEx
SystemLogicalProcessorAndGroupInformation = 107,
SystemLogicalGroupInformation = 108,

SystemStoreInformation = 109,
SystemVhdBootInformation = 112,
SystemCpuQuotaInformation = 113,

// Removed in build 7100
SystemHardwareCountersInformation = 115, // uses KeQueryHardwareCounterConfiguration() instead

SystemLowPriorityInformation = 116,
SystemTpmBootEntropyInformation = 117,
SystemVerifierInformation = 118,

// NtQueryEx
SystemNumaNodesInformation = 121,
// Added in build 7100
SystemHalInformation = 122, // 8 bytes size
SystemCommittedMemoryInformation = 123,
MaxSystemInfoClass = 124

PS. For interested people the first issue of the Debugged! MZ/PE: MagaZine is available on Amazon.

Twitt This!

Edit: SYSTEM_INFORMATION_CLASS structure updated in build 7100.

Your hibernation file in a nutshell – Part II

>> Part I < <
As I said in MoonSols blog, I decided to release the actual version of hibrshell as a free non-opensource tool. The current version is alpha, this means the project is still in developpement.

You can find hibrshell at the following link:

* The actual version can read the hibernation file from a hibernated or resumed computer — this means hibrshell don’t mind if the first page (header) had been wiped or not.
* Moreover, Windows XP, 2003, Vista and 2008 hibernation file are compliant with hibrshell. Probably Windows Seven too — but I donnot have tested it.
* hibrshell uses Microsoft Debugging Symbols technology this explains why it is able to list process regardless of the target version.
* Only few basis features are actually provided.


* hibr2dmp command. To convert Microsoft hibernation file to an Microsoft crash dump file. I guess I’d be easier and more powerful to proceed to an advanced analysis with WinDbg than with my little swissknife.
* Support for Microsoft crash dump files, and raw memory snapshot will be added.

Few words about Microsoft interoperability initiative.

As you probably know, Microsoft released last month several thousands pages of documentation about office file format and Windows protocols.

It means numerous hundreds(thousands?) of functions/algorithms documentation and pseudo-code. But, are these pseudo-function right? It looks not.

While I was reading [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol Specification, I was a bit curious to see the DecompressWin2k3() function (Thanks Aaron, Stefan , and Brendan).

This function is in fact the decompression algorithm called Xpress implemented for the first time in Windows XP and not Windows 2003 as say the name. Xpress algorithm works on 64kb chunks and is used in Windows hibernation file format, Windows Imaging Format (WIM) , Outlook, Exchange, and… LDAP replication service of Active Directory.

I’m quoting below, errors I found in the pseudo-code of DecompressWin2k3(). Here is the C implementation.

while (outputIndex < = outputSize) 
should be:
while (outputIndex < outputSize) 
    if (indicatorBit = 0) then 
        indicatorBit := copy inputBuffer[inputIndex] as 32-bit integer in 
        little-endian format 
        should be:
        indicator := copy inputBuffer[inputIndex] as 32-bit integer in 
        little-endian format 
        inputIndex := inputIndex + 4 
        indicatorBit := 32 

    indicatorBit := indicatorBit - 1 

//* check whether the bit specified by indicatorBit is set or not 
//* set in indicator. For example, if indicatorBit has value 4 
//* check whether the 4th bit of the value in indicator is set  

    if indicatorBit bit in indicator is not set then 
        inputBuffer[inputIndex] := outputBuffer[outputIndex]
        should be:
        outputBuffer[outputIndex] := inputBuffer[inputIndex] 
        inputIndex := inputIndex + 1 
        outputIndex := outputIndex + 1 
        length := copy inputBuffer[inputIndex] as 16-bit integer in 
        little-endian format 
        inputIndex := inputIndex + 2 
        offset := length /8 
        length := length mod 8 

        if (length = 7) then 

            if (nibbleIndex = 0) then 
                nibbleIndex := inputIndex 
                length := inputBuffer[inputIndex] mod 16 
                inputIndex := inputIndex + 1 
                length := inputBuffer[inputIndex] / 16 
                should be:
                length := inputBuffer[nibbleIndex ] / 16 
                nibbleIndex := 0 

            if (length = 15) then 

                length := inputBuffer[inputIndex] 
                inputIndex := inputIndex + 1 

                    if (length = 255) then 
                        length := copy inputBuffer[inputIndex] as 16-bit integer in little-endian format 
                        inputIndex := inputIndex + 2 
                        length := length - (15 + 7) 
                length := length + 15 

            length := length + 7 


    length := length + 3 

        while (not length = 0) 
        should be:
        while (length != 0) 
            outputBuffer[outputIndex] := outputBuffer[outputIndex - offset - 1] 
            outputIndex := outputIndex + 1 
            length := length - 1 



New attack released – Windows has been vulnerable for 8 years.

In November 2007 at PacSec'07, Tokyo, Japan, Nicolas Ruff and I (Matthieu Suiche) presented how to create a readable physical memory dump from the undocumented Microsoft hibernation file.

Last month, I published an open-source public version of this project called SandMan Framework. This framework allows manipulating the hibernation file for offensics (malicious) or forensics uses.

Today, I am going to release a Proof of Concept of the sandman attack using SandMan Framework. This PoC consists in elevating a user CMD shell to SYSTEM level under Windows XP SP3 RC1.

Sandman Framework offers a wide range of possibilities, both offensive and defensive. Like cryptographic keys retrieving in popular encryption software (e.g. TrueCrypt, GPG), privilege
escalation (cf. PoC), login without any password, and so on

All Windows versions are concerned, from Windows 2000 up to Windows 2008, Windows Vista SP1 included (and possibly Windows Seven).

The following video shows how the system can be subverted in a few minutes. The following points are highlighted:

* Deactivating hibernation feature does not solve the problem.
* The sandman attack affects every Windows version, from Windows 2000 to Windows 2008, 32- and 64-bit alike.
* We can read and write everything everywhere in the physical memory (RAM).
* This attack is feasible in real life on every computer with no hardware requirements.
* The attack has no time limitation. If a computer has been hibernated one
week ago, extracting his physical memory is still possible.

This is far more powerful than other recently demonstrated attacks against physical memory, like Cold Boot and FireWire attacks.

“keep you free from sin, till the sandman he comes”
(Enter SandMan — Metallica)