Windows on Matt Suiche

Windows 7 and Windows Server 2008 R2 djoin (Offline Domain Join) utility.

Thu, 29 Jan 2009 12:00:00 +0200

Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join. Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer. Following section covers the content of these computer account metadata files.

Retrieving MmPhysicalMemoryBlock regardless of the NT version

Wed, 17 Sep 2008 12:00:00 +0200

Here is a method I’m using in the next version of Win32DD (1.2), to retrieve MmPhysicalMemoryBlock regardless of the NT Version. The main problem with KDDEBUGGER_DATA64 structure is the version dependency. Then, we have to rebuild this field by ourselves. To retrieve physical memory runs, I’m using MmGetPhysicalMemoryRanges() undocumented function. This function usage had been documented by Mark Russinovich in 1999, in the Volume 1 Number 5 edition of the Sysinternals Newsletter.

Check your system virginity in less than 60 seconds.

Mon, 28 Jul 2008 12:00:00 +0200

Today, I wrote a tool called sym32guid which aims at retrieving all stored Program DataBase (*.PDB File) GUID (Globally Unique Identifier) from a physical memory dump. To do why? The first goal was to use use symbols as additional information regarding unexported functions like the über-famous msv1_0!MsvpPasswordValidate, but it looks it can also be used to detect Virus and Trojan…

The target machine is a Windows Vista SP1 32bits, I’ve installed last week inside a Virtual Machine and I’ve extracted the physical memory dump from the windows hibernation file through SandMan Framework.

X-Ways Forensics Beta 2 and hibernation file. (coincidence?)

Thu, 03 Apr 2008 12:00:00 +0200

X-Ways (WinHex editor) Forensics Beta 2 now includes hibernation file(hiberfil.sys) support for Windows XP 32-bit only. Please notice, Sandman library/framework is an open-source project under GNU General Public License v3 to read and write the hibernation file released 2 months ago…

Posted on Friday, Mar 28, 2008 – 1:05:

Ability to decompress Windows XP 32-bit hiberfil.sys files, whether active or inactive, to get a dump of physical memory with all in-use pages from a previous point of time when the computer entered into hibernation, as well as individually carved xpress chunks from hiberfil.sys files, including xpress chunks located in the “slack” of hiberfil.sys that are even older. This feature is available in Edit | Convert. (forensic license only) Source

(PS: I’m not beta-tester)