Thursday, September 14, 2006

OS Detection, Explained

Okay...the code's been posted to, so I thought I'd describe what it does...

The archive listed under "OS Detection" is called "ostest_0.1". This archive contains two Perl scripts, and performs OS detection of a Windows RAM dump (dd-style or .vmem file) by locating the SYSTEM process EPROCESS block. This is based on a paper by Jesse Kornblum. I added a check for the Idle process, as well. uses a method of OS identification that Andreas told me about...if you can locate the kernel base address in the RAM dump, and the first two bytes are "MZ", then you parse the PE header and locate the ResourceTable (or the .rsrc section) , and parse the VS_VERSIONINFO structure(s) to get the various string elements. I started by looking at the various VMWare guests I have, and opened up LiveKd on each one to see what the kernel base values would be. I then posted asking for others to provide the values they saw (I got about half a dozen responses, all for XPSP2), and I even did a search for folks who were doing debugging. From all of this, I created a simple table of the various values for the kernel base for Windows 2000 through Windows 2003 SP1 (I found NT4.0, as well, but that's commented out in the code).

Here's what the output of looks like when run against one of the DFRWS 2005 Memory Challenge dumps:

C:\Perl\memory> d:\hacking\dfrws-mem1.dmp
kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)
Ex: kern

File Description : NT Kernel & System
File Version : 5.00.2195.1620
Internal Name : ntoskrnl.exe
Original File Name :
Product Name : Microsoft(R) Windows (R) 2000 Operating System
Product Version : 5.00.2195.1620

So, at this point, consider this code an initial, alpha release. I've got some clean up and documenting to do, as well as adding functionality (verbose/debugging output, etc.). But it works, so give it a shot, and let me know what you think.


Anonymous said...

Can you send me his paper ?

Thanks a lot.

H. Carvey said...


Following the link to Jesse's blog and then on to his papers leads you to: