Hibernation support for windows 8 / server 2012

[iMHLv2]

[gleeda]

Here's a couple of notes that I found earlier:

FirstTablePage => FirstBootRestorePage
HibrProcPage = 1

Original notes from earlier:

I've figure out a few things for win8 hibernation files, such as the
location of special registers as well as how to find the number of pages
that are written and I've figured out that the FirstBootRestorePage
appears to be the first page that has memory content.  I'm not sure what
FirstKernelRestorePage is, but its value appears to be the next page
outside of the written pages (PerfInfo.PagesWritten) all of which appear
to be zeroed out.  In this case, PerfInfo.PagesWritten contains the
number of pages written, PerfInfo.KernelPagesWritten is 0, so I'm not
sure what makes the kernel pages populate yet.

data does look compressed, but
not with the traditional xpress headers.  I suspect still using xpress though, just from looking at the data

interestingly enough, when the
machine is woken up, the hiberfil.sys file header remains intact
(instead of being zeroed out like before) with a signature of "WAKE".  I
just have to figure out how the runs are saved... i'm not sure, but they
look like they are all in one place towards the beginning.

http://blogs.technet.com/b/askperf/archive/2012/10/28/windows-8-windows-server-2012-the-new-swap-file.aspx

http://www.thewindowsclub.com/hiberfil-pagefile-swapfile-sys-windows

http://helpdeskgeek.com/windows-8/hdg-explains-swapfile-sys-hiberfil-sys-and-pagefile-sys-in-windows-8/

http://www.sevenforums.com/tutorials/220051-hibernate-change-size-hiberfil-sys-file.html

[nirizr]

I'm curious to know what's the status of this task. I'm a professional reverse engineer and might be willing to lend a hand with figuring out the new/modified hiberfile.sys format.

I've previously contributed to Volatility with a somewhat similar task (VMWare snapshots) if you consider this something valuable.

[gleeda]

Hi @nirizr ! As far as I know, no one has looked at it in a while. Please feel free to take a stab at it, if you have time :-)

[jared703]

Agreed, this would be awesome Nir. Thank you for your contributions for VM
related snapshots. They are extremely valuable to analysts like myself.

On Oct 18, 2016 9:10 AM, "gleeda" notifications@github.com wrote:

Hi @nirizr https://github.com/nirizr ! As far as I know, no one has
looked at it in a while. Please feel free to take a stab at it, if you have
time :-)

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#25 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ADJiruWBg9dL8VZLAqBWBU0qNdS50Xfyks5q1MVjgaJpZM4B-Ics
.