Re: [Vol-users] hiberfil.sys
15 Sep
2008
15 Sep
'08
1:26 p.m.
On a 32-bits windows hibernation file, we can retrieve the
page/structure (MEMORY_RANGE_ARRAY) that contains the list of all
physical page mapped like this:
1) Retrieve the first compressed block, starting by XPRESS_MAGIC
"\x81\x81xpress". We note X the page number of the first xpress block.
2) Now we can retrieve MEMORY_RANGE_ARRAY offset like this: (X - 1) * PAGE_SIZE
Here is a sample of code aiming at retrieving MEMORY_RANGE_ARRAY after
having the first page wiped:
for (FirstPageTable = 0; FirstPageTable < 10; FirstPageTable++)
{
if (memcmp(s->Map + (FirstPageTable * PAGE_SIZE),
XPRESS_MAGIC, 8) == 0) break;
}
//
// Note: We only scan the 10 first pages. It's enough for
32bits hibernation file.
//
if (FirstPageTable == 10) return s;
s->MemArray = (PMEMORY_RANGE_ARRAY) (s->Map + (FirstPageTable
- 1) * PAGE_SIZE);
Cheers,
On Mon, Sep 15, 2008 at 6:37 PM, AAron Walters <awalters(a)4tphi.net> wrote:
Jean-Francois,
--
Matthieu Suiche
Apologize I didn't check that before posting
this mail.
No worries. I'm sure others will have the same question. Please, feel free
to post any question! We enjoy helping people get involved.
I will work a little bit more on this (to see how
to access to the
valuable data after this zeroed area) before joining the IRC
It actually shouldn't require too much work. The header basically provides
meta-data that makes processing a little faster. It also provides magic
which can be useful for determining what transformations need to be
performed. All the information you need for analyzing the memory sample can
be determined without the meta information in the header. If you have
trouble, send me an email.
Thanks,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users