References to the "Hibernation File Attack" presentation at Black Hat Europe 2009:
    
    
 #  SandMan Project - Matthieu Suiche & Nicolas Ruff
    
      Thanks! Thanks for help and contribution, very helpful.
    
      http://sandman.msuiche.net/docs/SandMan_Project.pdf
      http://msuiche.net/con/bhusa2008/Windows_hibernation_file_for_fun_%27n%27_profit-0.6.pdf
    	http://www.msuiche.net/pres/PacSec07-slides-0.4.pdf
    	http://www.msuiche.net/con/euro2008/Exploiting_Windows_Hibernation_File.pdf
    	http://sandman.msuiche.net/
    
    
 #  NirSoft Windows Vista Kernel Structures
    
      Good site to get structures of Microsoft debug symbol files. My source for hibernation file structures, even I modified them.
    
      http://www.nirsoft.net/kernel_struct/vista/
    
    
 #  Microsoft Wire Format Specification Protocol (MS-OXCRPC)
    
      The only documentation from Microsoft about the hibernation file compression algorithm.
    
      http://msdn.microsoft.com/en-us/library/cc425493.aspx             [MS-OXCRPC]     3.1.7.2.1 and 3.1.7.2.2
      http://msdn.microsoft.com/en-us/library/cc228086(PROT.10).aspx    [MS-DRSR]       DecompressWin2k3
    
    
 #  Boot Configuration Data in Windows Vista - Microsoft
    
      General information about BCD and winresumes role in Windows Vista.
    
      http://www.microsoft.com/whdc/system/platform/firmware/bcd.mspx
    
    
 #  Boot Options in Windows Vista - Microsoft, MSDN/Windows Driver Kit: Driver Development Tools
    
      "You can even call BCD during power state transitions and use it to define the boot process for resuming after hibernation."
      Important, because Windows XP checks the signature whether to resume from hibernation or not.
    
      http://msdn.microsoft.com/en-us/library/aa468626.aspx
    
    
 #  VERV - A Prototype Virus Verifier and Remover - David M. Chess, IBM Research
    
      Source for the virus-description language, used for defining to-patch values in hibernation file.
      The vdl is used to make clean definitions what to patch and how, which should prevent blue screens and failures.
    
      http://www.research.ibm.com/antivirus/SciPapers/Chess/CHESS3/chess3.html
      http://www.research.ibm.com/antivirus/SciPapers/Chess/CHESS3/chess3-node5.html
    
    
 #  Pagefile Attack - Joanna Rutkowska
    
      The page file attack originally initiated me to the hibernation file attack.
      It was back in November 2008, when I sat at work and thinking if attacking the pagefile, why not the hibernation file?
      And since that time, I was sitting every free minute, every night and weekend on the hibernation file attack to the get the code working.
      So let's publish my source of inspiration:
    
      http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html
    
    
 #  Various piper mails in the internet
    
      Making some interesting connections, for example between Volatility Framework and SandMan, which seem to share the same source code for hibernation.
    
      http://lists.volatilesystems.com/pipermail/vol-users/2008-September/000055.html
      http://social.msdn.microsoft.com/forums/en-US/os_exchangeprotocols/thread/b4e16062-0ecf-40fa-879a-380bfbac0028
    
    
 #  Kernel Patch Protection: Frequently Asked Questions - Microsoft
    
      Until Windows Kernel will be patched and code inserted, there came up the question how Kernel Patch Protection works and what it does.
      Well, its just active for active (running) systems (and only 64 bit).
    
      http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx
    
    
 #  Changes to the file system and to the storage stack to restrict direct disk access and direct volume access in Windows Vista and in Windows Server 2008
    
      As given in my presentation, the raw sector access changed. As the document explains, overwriting the MBR is still possible until only
      sectors of active partitions are locked for write access (of course Administrator rights are required).
    
      http://support.microsoft.com/kb/942448/en-us
    
    
 #  User Account Control - Microsoft
    
      http://msdn.microsoft.com/de-de/library/bb384691.aspx                 UAC, Manifest Compiler option of Visual Studio
      http://msdn.microsoft.com/en-us/library/bb762153(VS.85).aspx          ShellExecute, no documentation of lpOperation=runas
      http://weblogs.asp.net/kennykerr/archive/2006/09/29/windows-vista-for-developers-_1320_-part-4-_1320_-user-account-control.aspx   Windows Vista for Developers – Part 4 – User Account Control
      http://msdn.microsoft.com/en-us/library/cc974602.aspx                 User Account Control (UAC) (What's New in Windows Vista)
      http://msdn.microsoft.com/en-us/library/aa511445.aspx                 User Account Control, MSDN Library
      http://msdn.microsoft.com/en-us/library/bb648649.aspx                 User Account Control, Win32 MSDN Library documentation