Sample in Python [UP]

#!/usr/bin/python
#
#
#Module Name:
# 
#    sample1.py
# 
#Abstract:
# 
#    - Display target version.
#    - Build a physical memory dump from a hibernation file.
# 
#Environment:
# 
#    - Python
# 
#Revision History:
# 
#    - Matthieu Suiche
# 
 
import sandman
 
s = sandman.hiber_open("hiberfil.sys")
 
ver = sandman.hiber_get_version(s);
 
print "Windows version %d.%d.%d\n" % (ver & 0xFF, (ver & 0xFF00) >> 8, ver >> 16)
 
print "Generate physical memory dump...\n"
 
sandman.hiber_dump(s, "hibernate.dmp")
 
print "Done.\n"
 
sandman.hiber_close(s)

Sample in C [UP]

/*++
 
Module Name:
 
    sample1.c
 
Abstract:
 
    - Display some header information.
    - Build a physical memory dump from a hibernation file.
    - Requires: SandMan library.
 
Environment:
 
    - User mode
 
Revision History:
 
    - Nicolas Ruff, Matthieu Suiche
 
--*/
 
#include <windows.h>
#include "sandman.h"
 
/*++
 
    Function Name: main
 
--*/
 
int main (int argc, TCHAR *argv[])
{
PSANDMAN_OBJECT s;
 
SYSTEMTIME st;
FILETIME ft;
 
ULONG Status;
 
ULONG ulVersion = 0;
ULONG ulMajorVersion = 0;
ULONG ulMinorVersion = 0;
ULONG ulBuild = 0;
 
    printf("    Sandman demo! (c) %s %s.\n"
           "    %s\n"
           "    Demo: sample1.c\n\n",
            SANDMAN_DATE, 
            SANDMAN_AUTHOR,
            SANDMAN_WEB);
 
    //
    // Open and parse hiberfil.sys
    //
    s = HiberOpen( "C:\\hiberfiles\\Windows XP SP3 RC1 EN\\hiberfil.sys" );
 
    if (s == NULL) {
        printf("Error: Failed to open file.\n");
        return FALSE;
    }
 
    //
    // Display header info
    //
 
    printf("Signature:      %c%c%c%c\n",
        s->FileHdr->Signature[0],
        s->FileHdr->Signature[1],
        s->FileHdr->Signature[2],
        s->FileHdr->Signature[3] );
 
    // Get and format SystemTime
    ft.dwHighDateTime = s->FileHdr->SystemTime.HighPart;
    ft.dwLowDateTime  = s->FileHdr->SystemTime.LowPart;
    FileTimeToSystemTime( &ft, &st );
 
    printf("SystemTime:     %08x%08x [%d/%d/%d (DD/MM/YYYY) %d:%d:%d (UTC)]\n",
        ft.dwHighDateTime, 
        ft.dwLowDateTime,
        st.wDay,
        st.wMonth,
        st.wYear,
        st.wHour,
        st.wMinute,
        st.wSecond );
 
    //
    // Display ProcessorState
    //
 
    printf("\nControl registers flags\n");
 
    printf("CR0: %08x\n",       s->ProcState->SpecialRegisters.u_cr0.Cr0);
    printf("CR0[PAGING]: %d\n", s->ProcState->SpecialRegisters.u_cr0.Paging);
    printf("CR3: %08x\n",       s->ProcState->SpecialRegisters.Cr3);
    printf("CR4: %08x\n",       s->ProcState->SpecialRegisters.u_cr4.Cr4);
    printf("CR4[PSE]: %d\n",    s->ProcState->SpecialRegisters.u_cr4.PageSizeExtensions);
    printf("CR4[PAE]: %d\n",    s->ProcState->SpecialRegisters.u_cr4.PhysicalAddressExtension);
 
 
    ulVersion =  HiberGetVersion(s);
 
    // Get the Windows version.
 
    ulMajorVersion = (DWORD)(LOBYTE(LOWORD(ulVersion)));
    ulMinorVersion = (DWORD)(HIBYTE(LOWORD(ulVersion)));
 
    // Get the build number.
 
    if (ulVersion < 0x80000000)
        ulBuild = (DWORD)(HIWORD(ulVersion));
 
    printf("\nYou want more?\n");
    printf("Windows Version is %d.%d (%d)\n", 
                ulMajorVersion,
                ulMinorVersion,
                ulBuild);
 
    printf("\nPhysical Memory dump.\n");
 
    Status = HiberBuildPhysicalMemoryDump(s, 
        "C:\\hiberfiles\\Windows XP SP3 RC1 EN\\physmem.dmp");
 
    if (Status == FALSE) return Status;
 
    printf("Memory dump successfuly dumped.\n");
 
    HiberClose(s);
 
    return TRUE;
}