OpenRCE: Blog

SandMan 1.0.080226 is out!

Tue, 26 Feb 2008 13:41:32 -0600

What is SandMan?

SandMan is a (live) forensic & offensic framework providing a C library and a python portage to make readable and writable the hibernation file.

SandMan is open-source and now available at the following link:

http://sandman.msuiche.net.

Sample of code using SandMan (python)



#!/usr/bin/python

#

#

#Module Name:

# 

#    sample1.py

# 

#Abstract:

# 

#    - Display target version.

#    - Build a physical memory dump from a hibernation file.

# 

#Environment:

# 

#    - Python

# 

#Revision History:

# 

#    - Matthieu Suiche

# 



import sys

import sandman



if len(sys.argv) != 3:

	print "Matthieu Suiche - http://sandman.msuiche.net/"

	print "Usage: sample.py hiberfil.sys physical_dump.vmem"

	sys.exit(1)



s = sandman.hiber_open(sys.argv[1])



ver = sandman.hiber_get_version(s);



print "Windows version %d.%d.%d\n" % (ver & 0xFF, (ver & 0xFF00) >> 8, ver >> 16)



print "Generate physical memory dump..."



sandman.hiber_dump(s, sys.argv[2])



print "Done."



sandman.hiber_close(s)

Cheers,

(Original blog post:
http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/)

Windows Vista and unexported kernel symbols (Part II, 32bits version)

Wed, 31 Jan 2007 21:31:22 -0600

This paper exposes part II of my previous article about Windows Vista and internals structures. This one is talking about the 32bits version and aims to show new authencity tricks.

Download it from the following link:

Windows_Vista_32bits_and_unexported_kernel_symbols.pdf

Cheers,

Windows Vista 64-bits and unexported kernel symbols.

Mon, 01 Jan 2007 00:00:00 -0600

Hi,

I’m gonna published my (the?) first paper of the year 2007 !! :)

This article is talking about Windows Vista 64bits and its system structures which are proteged against rootkit. I also explain how these structures can be authentified without Pathguard.

Windows Vista 64bits and unexported kernel symbols.pdf

Happy New Year !!!

Translation �Patchguard alternative theory� presentation.

Sun, 24 Dec 2006 13:10:56 -0600

http://www.msuiche.net/2006/12/24/translation-of-my-patchguard-alternative-theory-presentation/

I did a translation into English of my previous presentation which explain how to realize a protector for IDT, SSDT, and syscall address on Windows 32 and 64bits. This could be see as a kind of alternative to Patchguard.

The translation can be found at the following link : http://www.msuiche.net/pres/Windows%20Vista%20Kernel%20Security%20-%20[EN].ppt

I�m writting an article about it which will be released very soon.

Happy merry xmas !

First commit @ TinyKrnl !

Fri, 15 Dec 2006 20:35:07 -0600

Hi there!

I’m proud to announce I did my first commit for tinykrnl !

http://svn.reactos.ru/svn/tinykrnl?view=rev&revision=729

Cheers,