Welcome!

The SandManSHELL Project is a forensics, debugging, and reverse code engineering utility based on the design of Microsoft WinDbg to retrieve information on every target system version of the Windows Hibernation file or/and Microsoft Crash dump file. Actually, the SandManSHELL Project is only 32bits compliant. This project is developped in C/C++ using Microsoft Visual Studio 2008 and build under a Microsoft Windows 2008 64-bits environnement.

Notes:

Microsoft Crash dump will become very easy to generate because of the next version of win32dd.

- Matthieu Suiche

DISCLAMER

*THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Set up/Obtaining/launch SandManSHELL

SandManSHELL is composed of 3 modules.
- ha.exe (core)
- dbghelp.dll (Microsoft DLL to use symbols)
- symsrv.dll (Microsoft DLL to download symbols from remote server)

Because of the use of Microsoft Debugging DLLs, you have to define the environement variable _NT_SYMBOL_PATH

            C:\WINDOWS\SYSTEM32> set _NT_SYMBOL_PATH=SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
            C:\WINDOWS\SYSTEM32> echo %_NT_SYMBOL_PATH%
            SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
            

You can now download it at the following link: SandManSHELL beta-testing version

        C:\Users\Administrator\Documents\Visual Studio 2008\Projects\ha\Release>ha
                        
            I don't have find a name at the moment. alpha version - private build.
            MoonSols - www.moonsols.com
                Copyright (C) 2008 Matthieu Suiche - www.msuiche.net

            Error: Not enough argument. Please give target path.

        C:\Users\Administrator\Documents\Visual Studio 2008\Projects\ha\Release>ha hiberfil.sys

            I don't have find a name at the moment. alpha version - private build.
            MoonSols - www.moonsols.com
            Copyright (C) 2008 Matthieu Suiche - www.msuiche.net

            Loading hiberfil.sys...
            Retrieving Kernel Image base...
            Retrieving Kernel Image size...
            Kernel Image: 0x81840000-0x81BF9000

            _NT_SYMBOL_PATH: SRV*C:\symbols*http://msdl.microsoft.com/download/symbols

            Symbols loading...
            Kernel raw image...Done.
            Symbols downloading/loading..Done.
                Loaded symbols: PDB
                Module Name : ntoskrnl.exe
                PDB Name: C:\symbols\ntkrpamp.pdb\37D328E3BAE5460F8E662756ED80951D2\ntkrpamp.pdb
            PsLoadedModuleList = 0x81957C70
            sandman> ntbuild
                NtBuildNumber = 0xF0001771 Build: 6001
            sandman> exit
            Cheers.

        C:\Users\Administrator\Documents\Visual Studio 2008\Projects\ha\Release>

^ TOP

Screenshots