Monday, October 23, 2006

Vista, RAM dumps, and OS detection (oh, my!!)

I received an email from Andreas today, and one of the things he mentioned is that the offset for the Vista kernel in memory is 0x81800000...this could be added to my os detection script. So I made the change to my script and ran it against a memory dump that I had from a Vista machine. Nothing. Nada. No impact, no idea. I opened up the memory dump in UltraEdit and saw that there was nothing at the offset...well, at least no PE header.

I then fired up my Vista RC1 VMWare session, and ran LiveKD to see what it reported the kernel base address as (0x81800000), and then I suspended the session. I opened up the resulting .vmem file and ran the script against it...and saw the following:

File Description : NT Kernel & System
File Version : 6.0.5600.16384 (vista_rc1.060829-2230)
Internal Name : ntkrpamp.exe
Original File Name :
Product Name : Microsoft« Windows« Operating System
Product Version : 6.0.5600.16384
File Description : Boot Man╕╝ ç(╝ ç
File Version : 6.0.5600.16384╜ çp╝ çsta_rc1.060829-2230)
Internal Name :
Original File Name :
Product Name : Microsoft« Winh╛ ç╪╜ ç« Operating System
Product Version :

Very cool. To make this change yourself, just add '0x81800000 => "VistaRC1"' to the %kb hash.

Addendum 24 Oct: Sent by Andreas, and confirmed this morning...add '0x82000000 => "VistaBeta2"' (remove outer single quotes) to the %kb hash in


Anonymous said...

I'm confused. Did the value for Vista work one time but not the other? If so, could that have anything to do with the Address Space Layout Randomization?

H. Carvey said...


My first thought this morning was, "OMG!! Someone actually READS my blog!!" ;-)

Yes, you're didn't work before. The offset for Vista Beta2 is 0x82000000. I just confirmed that with a sample that I have from that platform.

As to the issue of ASLR...I'll have to read Mike's blog entry and see. I'll let you know.

Andreas said...

Hello Harlan and Jesse,

Based on my observations I don't expect ASLR to affect the HAL and kernel images.

Cheers, Andreas