Sunday, September 10, 2006

OS Detection from a RAM Dump

I mentioned earlier that I'm working on a script that will help with OS detection from a RAM dump, either dd-style or a VMWare .vmem file. Thanks to some really excellent input from Andreas, I'm looking to add another detection method to the script and in order to do that, I'd like to get some input from you, the readers.

Here's what I need...if you have the MS Debugging Tools installed on a Windows system (2000 and up), go grab a copy of LiveKd, and copy it to your system. Go to the directory where you put LiveKd, and type "livekd -w" to open WinDbg. Once you get the prompt, look at the output from the tool, and copy what the operating system is identified as, and the "kernel base" value.

Once you do that, comment here or send me an email with the information. What I'm trying to do is use as wide a sample as possible to determine if this value is dynamic or not.


Addendum 11 Sept: First off, God bless anyone and everyone involved in the 9/11 attacks. This goes for victims, their families, the rescuers and workers, and all who've pushed forward and continued the mission. God bless you all.

On topic, I've gotten a couple of responses to my request so far, but they've both been for XPSP2. I spent a few minutes online this morning searching for posts about crash dumps, and found a ton of information. What I've seen is that the values I'm looking for seem to be pretty consistent...there're a couple of variations with regards to checked builds on Windows XP, but only a few that I've found. So, at this point, I'm working parsing the resource table, the RVA of which is found the PE header...the IMAGE_RESOURCE_DIRECTORY structures simply lack elegance (yes, that means they're ugly and difficult to deal with).

No comments: