MemProcFS icon indicating copy to clipboard operation
MemProcFS copied to clipboard
verified publisher icon ufrisk

Cannot load hiberfil.sys on Windows 11 24H2

Open te-chan opened this issue 1 year ago • 1 comments

I heard that memprocfs can read hiberfil.sys, so I tried it out, but it isn’t going well. Is my environment supported? I would really appreciate any advice!

Command executed: ./memprocfs -device /path/to/hiberfil.sys -mount ./mnt -arch x64 -pagefile0 pagefile.sys -pagefile1 swapfile.sys -vvv

Result:

DEVICE: HIBR: WARNING: COMPRESSION SET #PAGES > 10 (only showed once).
DeviceHibr_ReadScatter: READ:
        offset=0000000000001000 req_len=00001000
DeviceHibr_ReadScatter: READ:
        offset=0000000000002000 req_len=00001000
DeviceHibr_ReadScatter: READ:
        offset=0000000000003000 req_len=00001000

// ... very long hiber scatter log

[CORE]     NTOS located at: fffff8048ec00000
[VMM]      Successfully opened page file #0 '/home/ubuntu/tmp/pagefile.sys'
[VMM]      Successfully opened page file #1 '/home/ubuntu/tmp/swapfile.sys'
DeviceHibr_ReadScatter: READ:
        offset=00000001011c4000 req_len=00001000
[CORE]     PsInitialSystemProcess located at fffff8048fbc4aa8
[CORE]     EPROCESS located at ffff9682866b0040
[PROCESS]  EPROCESS_ENUMERATE START:
DeviceHibr_ReadScatter: READ:
        offset=000000011d0b0000 req_len=00001000
[PROCESS]  SYSTEM DTB: 00007103daf06151 EPROCESS: 00007ffda8948e40

// ... hexdump ...

[PROCESS]  OK: FALSE
[PROCESS]      PID:  000 PPID: 000 STAT: 004 DTB:  028 DTBU: 000 NAME: 338 PEB: 000
[PROCESS]      FLnk: 000 BLnk: 000 oMax: 000 SeAu: 000 VadR: 000 ObjT: 000 WoW: 000
[PROCESS]  Unable to fuzz EPROCESS offsets - trying debug symbols
[INFODB]   AGEGUID=45B0BEEFE03C289F032E4EC96C7871741 va=0xfffff8048ec00000
[INFODB]   INIT: SUCCESS: va=0xfffff8048ec00000
[SYMBOL]   Initialization of debug symbol .pdb functionality completed
[SYMBOL]   [ /home/ubuntu/Downloads/MemProcFS_files_and_binaries_v5.13.4-linux_x64-20241229/Symbols ]
[SYMBOL]   Initialized symbol subsystem (Rust).
[PROCESS]  OK: TRUE
[PROCESS]      PID:  1d0 PPID: 2d0 STAT: 004 DTB:  028 DTBU: 158 NAME: 338 PEB: 2e0
[PROCESS]      FLnk: 1d8 BLnk: 004 oMax: 840 SeAu: 350 VadR: 558 ObjT: 300 WoW: 310
[PROCESS]  SYSTEM DTB: 00000000001ae000 EPROCESS: ffff9682866b0040
[PROCESS]     # STATE  PID      DTB          EPROCESS         PEB          NAME
DeviceHibr_ReadScatter: READ:
        offset=0000000101104000 req_len=00001000
DeviceHibr_ReadScatter: READ:
        offset=0000000101105000 req_len=00001000
DeviceHibr_ReadScatter: READ:
        offset=00000000001ae000 req_len=00001000
[PROCESS]  0000 (list) 00000004 0000001ae000 ffff9682866b0040 000000000000 System
DeviceHibr_ReadScatter: READ:
        offset=000000011d0a2000 req_len=00001000
[PROCESS]  EPROCESS_ENUMERATE END:   [time=11ms scatter=0x5 pages=0x6]
[CORE]     Initialization Failed. Unable to walk EPROCESS. #5
[CORE]     Unable to auto-identify operating system.    
           Specify PageDirectoryBase (DTB/CR3) in -dtb option if value if known.
           If arm64 dump, specify architecture: -arch arm64                     

[CORE]     Failed to initialize.

[CORE]     SHUTDOWN COMPLETED (0x7103dac12010).
[CORE]       TIME: 2025-01-10 19:25:54 UTC.
[CORE]       RUNTIME: 0s.

Environment:

  • Windows 11 Home 24H2 26100.2605, Windows feature experience pack 1000.26100.36.0
  • RAM64GB

I think hyberfil.sys is not corrupted. Windows can restore the previous status.

te-chan avatar Jan 10 '25 20:01 te-chan

I believe I may have overlooked the hibernation file when I made the 24H2 upgrades since it's located in a different library.

I'll look into it, but I'm currently in the midst of adding macOS support (as in run MemProcFS on macOS analyzing Windows memory). I'll look into it when I've finished that upgrade, which I expect to be within the next 1-2 weeks. I'll keep you updated on this issue.

ufrisk avatar Jan 11 '25 19:01 ufrisk

The problem also occurs on Windows 10 Pro Build 19045.5679.

ara-stgu avatar Apr 09 '25 09:04 ara-stgu

I'm aware that the MemProcFS implementation won't work for all hibernation files. I looked into this and I don't understand the format as such and why it's failing currently.

I'll probably re-visit this later in the summer, or if anyone is aware of this new hibernation file format being used please let me know.

ufrisk avatar Apr 23 '25 20:04 ufrisk

This issue should now be resolved.

There were actually two issues. One affecting 24H2 only which might have resulted in some cases recovered memory being cut short.

The other one affected all versions, making hibernation file recovery fail with the ugly error messages you were seeing.

Both issues should now be resolved. Please let me know if the most recent MemProcFS download fixes this issue for you.

Thank you for reporting this issue.

ufrisk avatar May 30 '25 15:05 ufrisk