Analyze hiberfil. sys

Subject: [original] analyze hiberfil. sys
Prepared by: microdebug
Time: 2010-11-09,17: 34: 42
Chain: http://bbs.pediy.com/showthread.php? T = 124505

I was scared when I took this note, because I thought it was useless. But in fact, it is still very valuable in many partial or confidential fields. In view of the small amount of data in China, I wrote a note to share it with you.

Analyze hibernation file

Introduction
What's hibernation file?
The hibernation file is the system's hibernation file hiberfil. sys, which is located in the root directory of the system volume. During System sleep, Windows dumps the data in the physical memory (including the status data during system runtime) to hiberfil. sys and generates a valid file header. Use the hiberfil. SYS file to recover the data when the system is started.

How to generate a valid hiberfil. sys?
From the user's point of view, when the system is down, press the sleep button to automatically generate a valid hiberfil. sys.
From the perspective of the Power Manager, a valid Sleep file is generated only when the power status of the system is s0.
Note: when the system is running normally, the power status is S0; when the system is completely off, the power status is S5; when the system is sleeping, the power status is S4, at this time, only the power supply circuit and the wake-up circuit have bit-by-bit current. The several statuses S1, S2, and S3 in the middle are sleep to varying degrees.
The process of restoring the system from S4. S0, that is, the process of using hiberfil. sys.

Valuation of hibernation file
It is quick and easy
Restoring the system is faster than restarting the system. Not explained (except in special cases ).
A New Method to dump physical memory
Uses the hibernation technology to dump data in the physical memory of the system. The data includes the processor status, current EIP, IDT table, gdt table, ssdt table, executable code and data in the current status...
The data can be used to analyze the system status.

Leak information?
Yes. Normally, the hiberfil. sys is used to restore the system. Although the one page of the hiberfil header is cleared after restoration, the data after the header is retained. Using an external tool to construct a header, you can read all the information of this hiberfil. sys.

Defensive uses
Kernel-land malwares Detection
Analyze the hibernation file to check whether the system is modified by checking the integrity of ssdt, IDT, and gdt tables. Although a more lightweight method is provided in the kernel layer to check the integrity of key tables in the system, hibernation provides an ultimate detection method because of the anti-virus problem.
According to the hibernation restoration principle, code that is not in the hibernation file will not be resumed for execution. Based on this, it can defend against SMM rootkit. (Not introduced)
Offensive uses
Attackers can obtain sensitive data, such as password and keys.
Modify the hibernation file to improve the execution permission of a process. bypass the system logon password...

Hibernation file Internals
Headline of hibernation Process
When the hosts file is mounted (s0425s4133, Windows Kernel (ntoskrnl.exe), the execution body creates a hibernation file, compresses the data in the physical memory using the lz77 algorithm, and writes the data to the file.
During System Recovery (s41_s0133), osloader.exe reads the hibernation file and loads the extracted data to the physical memory, enabling the system to quickly restore to the sleep state.
Note: For details about the recovery process, see Appendix 1.

Hibernation file structure
First, you can intuitively look at the file structure diagram: (list of fields on the left, which is a group of fields in the file structure)
 

File Header
The data space on the first page (0x1000 bytes) of the Sleep file. This structure po_memory_image is exported by the kernel debugging symbol. The structure mainly contains information such as the creation date, version number, checksum, valid mark, and number of physical pages of the dormant file.
Note: When a dormant file is used to restore the system, only the first page of data is cleared, that is, the file header. Other data remains unchanged.

Freemap page
Contains a ulong array that stores the ing information of the idle Memory Page.

Processor state
Processor status, which is saved by the kernel function kisaveprocessorcontrolstate. Including control registers CRX, gdt, IDT, EIP...
The structure is defined as follows:
Typedef struct _ kprocessor_state32
{
Context contextframe ;//
Kspecial_registers specialregisters ;//
} Kprocessor_state32, * pkprocessor_state32;

Note: After the Vista version, fields 2 and 3 are exchanged.

Memory range array
Stores compressed data on the physical memory page.
Typedef struct _ memory_range_array
{
Memory_range_array_link memarraylink;
Memory_range_array_range memarrayrange [max_array_entry];
} Memory_range_array, * pmemory_range_array;

The memarraylink field serves as the link table pointer and maintains multiple such structural links;
The memarrayrange field points to the data zone and contains a maximum of 255 entries. This is why there is a memarraylink pointer pointing to the next memory_range_array structure, because when the Sleep file is large, one memory_range_array cannot store all the data.

The structure memory_range_array_range is defined as follows:

Typedef struct _ memory_range_array_range
{
Ulong pageno ;//???
Ulong startpage; // block start (physical address)
Ulong endpage; // block stop (physical address)
Ulong checksum; // always zero, but used under Windows 2000.
} Memory_range_array_range, * pmemory_range_array_range;
The page START address and end address are specified. The data in the address range is compressed and stored by the compression algorithm. The entire data block corresponding to this structure is a compressed pagecompresseddata block, the starting part of the compression speed is a struct, as shown below:
Struct image_xpress_header
{
Char signature [8] = 81 h, 81 h, "Xpress ";
Byte uncompressedpages = 15;
Uint32 compressedsize;
Byte reserved [19] = 0;
};
That is to say, the compression block ID is \ x81 \ x81xpress; and then the data is compressed.

Note: The size of each decompressed block corresponding to the compression speed is 64 KB (0x10 pages ).
Compression Algorithm
This algorithm has been publicly implements ented since recent Microsoft Interoperability Initiative (February 2008)
The compression block algorithm uses lz77 + direct2;
Lz77 is used to compress memory data and direct2 encodes and decodes the location of bytes.

Project and Application
Sandman Project
The main feature of this open-source project is to define the file structure of the Sleep file and provide the code for parsing the Sleep file.
However, there is a problem in this Code. When converting a virtual address to a physical address, the author fails to parse the PAE part mapped to the page.
If PAE page ing is enabled (in fact, almost all multi-core Computers enable PAE), MMU uses three-level tables for address translation, which are page Directory pointers, page Directory Index, page table index, and page byte offset. The first three items are 8 bytes long, and the author processes them as 4 bytes during parsing.
Specific modification method: In the MM. c file, change the PAE offset to 8 in the à mmgetphysicaladdress function;

Note: address translation requires only two-level tables, page Directory indexes, and page table indexes. Each entry is 4 bytes long.

Tiamo ntldr Project
The author tiamo basically implements a complete ntldr, which can replace the system ntldr, mainly including the C ++ Implementation of restoring the system by using the hibernate file hiberfil. sys. However, I have not tested the feasibility.
The project consists of two parts:
16-bit real-mode code;
The 32-Bit mode code, osloader.exe, is a real 32-bit Entry Program in windows. This part of the code references the NT4 code, but the code of NT4 does not implement the Code to restore hiberfil. It is estimated that the author uses reverse writing.

Useful Application
Sandman is used to develop several free gadgets, which are usually unavailable to developers.
Accessible: http://www.moonsols.com

Parse hiberfil. sys, obtain the system version number, create time of the Sleep file, and dump the physical memory content from the Sleep file (see the attachment ).

Anti SMM rootkit application;

Other aspects, forensic analysis, and unknown applications...

Appendix
Brief Introduction to the process of restoring the system with a dormant File

During the boot process, the BIOS code first obtains control. After the hardware detection is completed, it jumps to the MBR. The MBR code mainly reads the partition table information and then gives the control to the DBR Of The Boot Sector of the system volume, after DBR executes initialization, it reads the file ntldr and the code in the 16-Bit mode in ntldr starts to execute. It also performs some necessary initialization work and then switches the processor to the 32-bit protection mode.
Control permission to osloader.exe. Although the processor is already working in protected mode, its virtual address translation mechanism has not been enabled, so the processor still uses the physical address directly.
Osloader calls the global initialization memory function in the entry function ntprocessstartup:
Doglobalinitialization ()-> initializememorysubsystem ()->
The function is to use a memory descriptor array to record the size and usage of each segment of memory, and then construct the page Directory and page table, so that the memory at 16 MB can be paging) in the loader stage, the physical memory above 16 Mb is not used. In the page Directory register is set and the page ing mechanism is enabled.
Then, osloader continues to perform other initialization tasks, including the initialization of the IO Device.
Page for PCR allocation-> page for TSS allocation-> initialize memory descriptor-> initialize the IO system blioinitialize.

Next, determine how to control the startup.
Function: blstartup (bootpartitionname );
The process is like this: Open the boot partition to load the driver; initialize the screen; read hiberfil. SYS. If it is a valid Sleep file, the system restores the system in hiberfil. sys mode. If not, open the boot. ini file and display a boot selection menu. If boot. ini contains only one boot option, this menu is not displayed, but the boot option is applied immediately.

If hiberfil. sys is detected to be valid, osloader gives control to a piece of code that can restore the system. The general process is as follows:
Open hiberfil. If it is unsuccessful, return --> if it is successful, resume --> allocate page buffer --> parse the header file and determine the Image Signature. There are three types of labels that can be processed separately. If the flag is incorrect, return directly --> perform some other verification work-> assign the PTE, read the data on the memory ing page-> allocate the buffer for compressed data-> extract the data to the physical memory-> perform a series of recovery operations-> Read the status of the processor ......

Analyze the ntldr workflow using NT4 code
Boot/bootcode/MBR/i386/x86mboot. ASM->
Run the MBR boot code here to read the partition table, obtain the boot partition, read the first sector of the boot partition, that is, DBR, into the memory, and then tune the EIP to the DBR Boot Code for execution.
Boot/bootcode/NTFS/i386/ntfsboot. ASM->
This function is mainly used to read data on the volume. It reads ntldr into the memory and then runs it. (The data on the volume is stored and managed according to the file system format. Therefore, you need to use the file system code to access the file content on the volume .) So far, the program is still in the real mode, that is, the 16-Bit mode.
Boot/startup/i386/su. ASM->
Directly jump to JMP realstart, prepare the stack and segment, and then execute the sumain function, which is located:
Boot/startup/i386/Main. C->
Came to the C code. Initialization is implemented here, including video, memory, and Foppy. Then, return to Su. ASM to switch the mode to 32-bit;
Boot/lib/i386/entry. C->
The entry function ntprocessstartup. Here, perform some initialization and call doglobalinitialization to initialize the memory below 16 Mb. The paging mechanism starts. After initializing system memory and I/O system, you can call the blstartup function. That is to say, ntldr returns the result after being executed in the blstartup function. This function is available in:
Boot/bldr/i386/initx86.c->
This function opens boot. ini, obtains the startup option, and continues to call osloader. C;
\ Boot \ bldr \ osloader. c

Note: NT4 does not support the hiberfil sleep mechanism. In systems after XP, the process of restoring hiberfil is called during the blstartup process.

Reverse Analysis of ntldr to analyze hibernation file
Here we will only talk about the analysis method to save details.
The job to restore hiberfilers is completed by osloader. you can use osloader.exe to analyze osloader.exe in reverse direction to learn details about restoration of hiberfil.

Ntldr is located in the root directory of the system disk. It is a binary system file with hidden read-only attributes and cannot be analyzed directly using IDA.
Ntldr is composed of two images. One is binary image under 16-bit, which is like one. COM file; the other is the PE file image under 32-bit, which mainly contains the loading task. The file corresponding to this PE imagefile is osloader.exe.

Osloader.exe Extraction Method
Use a hexadecimal Editor (e.g. winhex), open ntldr, find the 'mz' or 'pee' flag, and then start with the 'mz' flag, copy and paste all the remaining Hex data to another empty file, rename osloader.exe. If you use winhex, it will be very simple (find the 'mz' sign, ALT + 1, and then drag it to the end of the file, ALT + 2, so that the selected block from 'mz' to the end of the file, right-click 'edit'-> 'Copy Block'-> 'into a new file ').
After osloader is extracted, it is loaded with Ida. During loading, the system will prompt you to download the 'undisclosed 'symbol from the MS official website, select yes or no, and wait for analysis. It may take about 2 minutes.

Analyze the osloader.exe File
Generally speaking, osloader should be a native app, and its entry function is ntprocessstartup. However, after IDA analysis, the entry function is DriverEntry and analyzed as a driver. However, in fact, native apps are essentially a driver.
The next step is to use various resources to find the code area that you pay attention to for analysis.

References
1, http://sandman.msuiche.net/docs/SandMan_Project.pdf
Http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Burdach.pdf 2
3, https://www.volatilesystems.com/default/volatility
Http://sandman.msuiche.net/
Http://www.msuiche.net/con/euro2008/Exploiting_Windows_Hibernation_File.pdf 5

Code and Docs:
Sharehiberfil.rar [who downloads?]