Wednesday, September 13, 2006

OS Detection from a RAM Dump, part deux

Okay, here's where I'm at on this so far...

I'm implementing a method of OS detection from a RAM dump by going to the kernel base address in the dump (thanks to Andreas for pointing this method out) and determining if there is an executable there. If there is, I'm using PE parsing code that I've already developed to locate the ResourceTable and parse through it to get the file version information.

For those of you who don't know, the ResourceTable is a "simple" multi-level directory structure. I'm using Matt Pietrek's description of the ResourceTable as a basis, and then using other resources to located the RT_VERSION identifier so I can traverse the directory structure in the right direction.

So, I locate the first/root level easy enough, and locate a pointer to the RT_VERSION resources (skipping bitmaps and dialogs). I get to the second level and locate a pointer to the third level, which gives me a pointer to the resources:

ID = 0x409, PTR = 0x228

What this tells me is that the ID is pointing to a particular language (English) and since the high bit of the PTR isn't set, it points directly to a resource. Only at this point, I don't know which resource, as it's still 24 bytes from the beginning of the VS_VERSIONINFO structure.

I've been searching on Google, and if anyone out there has a resource (link, URL, text file, etc.) that breaks down how to traverse the ResourceTable, I'd appreciate it, as it will save me some time and let me finish this code. Thanks.

Addendum, 14 Sept: Ugh. I figured it out. Finally. I'll have code working soon.

No comments: