• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

Hibernation File Attack

The idea behind the hibernation file attack is to inject code into the hibernation file when the system is hibernated. The unsigned code will be written into hibernation file directly before Windows starts - and when Windows processes a system resume, the modified kernel will be loaded. The injection is done via an own modified Master Boot Record. The MBR is executed before winresume.exe and is able to modify the hibernation file (hiberfil.sys) via its own file system drivers (FAT and NTFS). The MBR will be written to disk by a normal application using raw sector access.

Peter Kleissner, Software Engineer

The presentation was rejected by the Black Hat Review Board, any information here is provided as-is. The presentation WAS NOT presented at Black Hat and any material here appear as given to Black Hat Europe 2009 CFP.

Download the Hibernation File Attack Presentation

• Main Presentation
• Hibernation File Format
• virus-description language
• References
• Internal Test Tools
• Infector
• Black Hat Europe 2009 Call For Papers

The main source code, the Master Boot Record and all its modules, is not available for download now. It will be made available with my "Stoned" project. If you have any interest in it feel free to contact me. The reason for not publishing it is that the Source Code can load ANY MALICIOUS UNSIGNED CODE into kernel, even in Vista, and Windows 7.

If you have any question regarding the Hibernation File Attack, please contact me using the secured contact form.