Hiberfil.sys - Revision history

Joachim Metz: /* External Links */

2012-12-06T07:27:42Z

‎External Links

Joachim Metz: /* LZ XPRESS */

2012-12-05T19:39:40Z

‎LZ XPRESS

Joachim Metz: /* External Links */

2012-12-05T19:35:53Z

‎External Links

Joachim Metz: /* External Links */

2012-12-05T07:23:25Z

‎External Links

Joachim Metz: /* External Links */

2012-12-03T19:45:13Z

‎External Links

Joachim Metz at 19:38, 3 December 2012

2012-12-03T19:38:59Z

Msuiche at 13:17, 16 August 2008

2008-08-16T13:17:14Z

Moyix: Better reference to MS-DRSR, note about pseudocode errors.

2008-06-30T14:04:56Z

Better reference to MS-DRSR, note about pseudocode errors.

Moyix: Got the date wrong for the WSPP release

2008-06-27T20:30:12Z

Got the date wrong for the WSPP release

Moyix: Typo in the link to sandman

2008-06-27T20:22:55Z

Typo in the link to sandman

@@ Line 10: / Line 10: @@
 * [http://www.msuiche.net/pres/PacSec07-slides-0.4.pdf Enter SandMan], by [[Nicolas Ruff]], [[Matthieu Suiche]]
 * [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009
 * [http://code.google.com/p/volatility/wiki/HiberAddressSpace Microsoft Hibernation Files], by [[Volatility|the Volatility project]]

@@ Line 13: / Line 13: @@
 === LZ XPRESS ===
-* [http://msdn.microsoft.com/en-us/library/ee441458.aspx]
+* [http://msdn.microsoft.com/en-us/library/ee441458.aspx DIRECT2 Encoding Algorithm], by [[Microsoft]]
-* [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/]
+* [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/ Few words about Microsofts interoperability initiative], by [[Matthieu Suiche]]
-* [http://www.msuiche.net/codes/xpress.c.txt]
+* [http://www.msuiche.net/codes/xpress.c.txt C implementation of LZ XPRESS], by [[Matthieu Suiche]]

← Older revision		Revision as of 19:35, 5 December 2012
Line 11:		Line 11:
	* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009		* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009
	* [http://code.google.com/p/volatility/wiki/HiberAddressSpace Microsoft Hibernation Files], by [[Volatility\|the Volatility project]]		* [http://code.google.com/p/volatility/wiki/HiberAddressSpace Microsoft Hibernation Files], by [[Volatility\|the Volatility project]]
		+
		+	=== LZ XPRESS ===
		+	* [http://msdn.microsoft.com/en-us/library/ee441458.aspx]
		+	* [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/]
		+	* [http://www.msuiche.net/codes/xpress.c.txt]

← Older revision		Revision as of 07:23, 5 December 2012
Line 10:		Line 10:
	* [http://www.msuiche.net/pres/PacSec07-slides-0.4.pdf Enter SandMan], by [[Nicolas Ruff]], [[Matthieu Suiche]]		* [http://www.msuiche.net/pres/PacSec07-slides-0.4.pdf Enter SandMan], by [[Nicolas Ruff]], [[Matthieu Suiche]]
	* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009		* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009
		+	* [http://code.google.com/p/volatility/wiki/HiberAddressSpace Microsoft Hibernation Files], by [[Volatility\|the Volatility project]]

← Older revision		Revision as of 19:45, 3 December 2012
Line 6:		Line 6:

	== External Links ==		== External Links ==
		+	* [http://sandman.msuiche.net/docs/SandMan_Project.pdf Sandman Project], by [[Matthieu Suiche]], February 2008
		+	* [http://msuiche.net/con/bhusa2008/Windows_hibernation_file_for_fun_%27n%27_profit-0.6.pdf Windows hibernation file for fun & profit], by [[Matthieu Suiche]]
		+	* [http://www.msuiche.net/pres/PacSec07-slides-0.4.pdf Enter SandMan], by [[Nicolas Ruff]], [[Matthieu Suiche]]
	* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009		* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009

← Older revision		Revision as of 19:38, 3 December 2012
Line 4:		Line 4:

	In early 2008, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification (section 4.1.10.6.15, "DecompressWin2k3"). However, the pseudocode given contains numerous errors, as documented by [[Matthieu Suiche]] in a [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/ blog entry].		In early 2008, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification (section 4.1.10.6.15, "DecompressWin2k3"). However, the pseudocode given contains numerous errors, as documented by [[Matthieu Suiche]] in a [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/ blog entry].
		+
		+	== External Links ==
		+	* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009

@@ Line 1: / Line 1: @@
 hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the [[hibernation]] process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.
-Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]] and [[Nicolas Ruff]]. Currently, [http://sandman.msuiche.net/ Sandman] is the only open-source tool that can read the Windows hibernation file.
+Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]]. He created with [[Nicolas Ruff]] a project called [http://sandman.msuiche.net/ Sandman] is the only open-source tool that can read and write the Windows hibernation file.
 In early 2008, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification (section 4.1.10.6.15, "DecompressWin2k3"). However, the pseudocode given contains numerous errors, as documented by [[Matthieu Suiche]] in a [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/ blog entry].

← Older revision		Revision as of 20:30, 27 June 2008
Line 3:		Line 3:
	Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]] and [[Nicolas Ruff]]. Currently, [http://sandman.msuiche.net/ Sandman] is the only tool that can read the Windows hibernation file.		Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]] and [[Nicolas Ruff]]. Currently, [http://sandman.msuiche.net/ Sandman] is the only tool that can read the Windows hibernation file.

−	~~Later in 2007~~, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification.	+	In early 2008, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification.

@@ Line 1: / Line 1: @@
 hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the [[hibernation]] process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.
-Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]] and [[Nicolas Ruff]]. Currently, [[Sandman | http://sandman.msuiche.net/ ] is the only tool that can read the Windows hibernation file.
+Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]] and [[Nicolas Ruff]]. Currently, [http://sandman.msuiche.net/ Sandman] is the only tool that can read the Windows hibernation file.
 Later in 2007, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification.