Thursday, April 16, 2009

Sandman Shell: Batch files to Define environment variable _NT_SYMBOL_PATH

I had the following a question from Mr Anonymous about Matthieu Suiche's Sandman Shell Project:

“...the same happens with hibrshell. When I execute the command it crashes while "Retrieving Kernel Image base". I tried with 3 different hiberfil.sys files so I guess it's not the file. The bad thing is that I also tried with different pcs and it crashed too, this means that I have no idea of what it can be. Do I need any extra software? Has anyone the same problem?...”

I have had this problem too!!! I had the same errors because I didn't have the right Microsoft Symbols installed on my testing machine or I didn't define the environment variable _NT_SYMBOL_PATH everytime I opened a new command prompt to run Sandman Shell (ha.exe). So here is how to fix both problems.

First Make sure that you have the correct symbols installed on your test machine for the specific version of the Windows OS of the Hiberfil.sys you are testing. So if your Hiberfil.sys came from a Windows XP SP2 Machine make sure you have the Windows XP SP2 Symbols installed on your testing machine. Download symbols from Microsoft.

Second you have to make sure you define the path to the symbols everytime you open a command prompt. To help me I wrote the following two batch files:
__________________________________________
Batch File 1 Name: “CreateDD_HA.bat”

cmd /k _symbols_setup.bat
__________________________________
Batch File 2 Name: “_symbols_setup.bat”

set _NT_SYMBOL_PATH=SRV*C:\WINDOWS\Symbols*http://msdl.microsoft.com/download/symbols
echo %_NT_SYMBOL_PATH%
echo off

echo ****************************

echo ****************************
Echo FIRST
Echo To Obtain a DD Image of a Hiberfil.sys File...
Echo Type "ha.exe " and drag and drop your HiberFil.sys
Echo in the command lineto look like
Echo Example "ha.exe C:\dumpfiles\Hiber\hiberfil.sys"
echo off

echo ****************************
Echo Second
Echo Once you Hiberfil.sys file is loaded
Echo And you are at the Green Prompt just type
Echo Example "create output.dd"
__________________________________


Place the two batch files in the same directory as HA.exe
And run CreateDD_HA.bat.

If this doesn't help check with M Suiche. That guy is wicked smart and very helpful!
Rick