[Vol-users] Problems with Win7SP1x64 hiberfil.sys

Jamie Levy jamie at memoryanalysis.net
Mon Feb 23 13:57:08 CST 2015


Hi Adam,

You are correct about your assumption where the first pages are nulled
out.  Win7SP1x64 hibernation file support does work (I actually
implemented and tested that support), the name "WindowsHiberFileSpace32"
is really just a misnomer and works for both x86 and x64.  Perhaps I'll
change that name to just "WindowsHiberFileSpace" instead...

That being said, sometimes things break due to corrupt hibernation files
(stale partially overwritten data for example), which causes the address
space to fail.  It could also be that there is more than one kdbg value.
 Try a couple of things to help troubleshoot:

1) use `kdbgscan` with the `--profile=Win7SP1x64` flag and see if there
is more than one value.
2) try to use `psscan` or `modscan` with the correct profile and see if
you get anything back.

In the worst case, are you able to share the hibernation file so that we
may troubleshoot it?

All the best,

-Jamie




On 2/23/15 2:20 PM, Bridgey theGeek wrote:
> Hi all,
> 
> Just trying to figure out where I'm going wrong.
> 
> I have a hiberfil.sys file from a Win7SP1x64 system.
> The first 6 pages are full of 0x00 which I believe means the hiberfil
> was wiped as part of a resume.
> 
> Having read the AOMF, specifically p98, I expected Volatility to brute
> force the header and, voila, magic happens.
> 
> However, Volatility just reports that it wasn't able to find a matching
> address space:
> 
> $ python vol.py -f /tmp/hiberfil.sys imageinfo
> Volatility Foundation Volatility Framework 2.4
> Determining profile based on KDBG search...
> 
>           Suggested Profile(s) : No suggestion (Instantiated with
> Win7SP1x86)
>                      AS Layer1 : IA32PagedMemoryPae (Kernel AS)
>                      AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
>                      AS Layer3 : FileAddressSpace (/tmp/hiberfil.sys)
>                       PAE type : PAE
>                            DTB : 0x185000L
>                           KDBG : 0x82d3ac28
>           Number of Processors : 4
>      Image Type (Service Pack) : 1
>                 KPCR for CPU 0 : 0x82d3bc00
>                 KPCR for CPU 1 : 0x807c6000
>                 KPCR for CPU 2 : 0x8d300000
>                 KPCR for CPU 3 : 0x8d336000
>              KUSER_SHARED_DATA : 0xffdf0000
>            Image date and time : 2014-05-09 15:26:28 UTC+0000
>      Image local date and time : 2014-05-09 17:26:28 +0200
> 
> $ python vol.py -f /tmp/hiberfil.sys --profile=Win7SP1x64 pslist
> Volatility Foundation Volatility Framework 2.4
> No suitable address space mapping found
> Tried to open image as:
>  MachOAddressSpace: mac: need base
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64BitMap: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  ...
>  ...
> 
> If I try an imagecopy, the output file is identical to the original:
> 
> $ python vol.py -f /tmp/hiberfil.sys --profile=Win7SP1x64 imagecopy -O
> /tmp/hiberfil.bin
> Volatility Foundation Volatility Framework 2.4
> Writing data (5.00 MB chunks):
> |.................................................................................................................................................................................................................................................................................................................................................................................................................................................................|
> bridgey at aspire:~/dev/volatility$ md5sum /tmp/hiberfil.*
> fee8a1c6924b871477434a678adb4483  /tmp/hiberfil.bin
> fee8a1c6924b871477434a678adb4483  /tmp/hiberfil.sys
> 
> And finally, I couldn't find a class for 64-bit hiberfil...
> 
> $ find -type f -name '*iber*' -exec grep -H ^class.WindowsHi {} \;
> ./volatility/plugins/addrspaces/hibernate.py:class
> WindowsHiberFileSpace32(addrspace.BaseAddressSpace):
> 
> Am I leaping to conclusions, or is a hiberfil from a 64-bit system
> simply not supported?
> 
> Would love any comments!
> 
> Thanks,
> Adam
> 
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 

-- 
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG:  http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list