OS Detection, Explained
Okay...the code's been posted to SF.net, so I thought I'd describe what it does...
The archive listed under "OS Detection" is called "ostest_0.1". This archive contains two Perl scripts, ostest.pl and kern.pl. Ostest.pl performs OS detection of a Windows RAM dump (dd-style or .vmem file) by locating the SYSTEM process EPROCESS block. This is based on a paper by Jesse Kornblum. I added a check for the Idle process, as well.
Kern.pl uses a method of OS identification that Andreas told me about...if you can locate the kernel base address in the RAM dump, and the first two bytes are "MZ", then you parse the PE header and locate the ResourceTable (or the .rsrc section) , and parse the VS_VERSIONINFO structure(s) to get the various string elements. I started by looking at the various VMWare guests I have, and opened up LiveKd on each one to see what the kernel base values would be. I then posted asking for others to provide the values they saw (I got about half a dozen responses, all for XPSP2), and I even did a search for folks who were doing debugging. From all of this, I created a simple table of the various values for the kernel base for Windows 2000 through Windows 2003 SP1 (I found NT4.0, as well, but that's commented out in the code).
Here's what the output of kern.pl looks like when run against one of the DFRWS 2005 Memory Challenge dumps:
C:\Perl\memory>kern.pl d:\hacking\dfrws-mem1.dmp
kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)
Ex: kern
File Description : NT Kernel & System
File Version : 5.00.2195.1620
Internal Name : ntoskrnl.exe
Original File Name :
Product Name : Microsoft(R) Windows (R) 2000 Operating System
Product Version : 5.00.2195.1620
So, at this point, consider this code an initial, alpha release. I've got some clean up and documenting to do, as well as adding functionality (verbose/debugging output, etc.). But it works, so give it a shot, and let me know what you think.
The archive listed under "OS Detection" is called "ostest_0.1". This archive contains two Perl scripts, ostest.pl and kern.pl. Ostest.pl performs OS detection of a Windows RAM dump (dd-style or .vmem file) by locating the SYSTEM process EPROCESS block. This is based on a paper by Jesse Kornblum. I added a check for the Idle process, as well.
Kern.pl uses a method of OS identification that Andreas told me about...if you can locate the kernel base address in the RAM dump, and the first two bytes are "MZ", then you parse the PE header and locate the ResourceTable (or the .rsrc section) , and parse the VS_VERSIONINFO structure(s) to get the various string elements. I started by looking at the various VMWare guests I have, and opened up LiveKd on each one to see what the kernel base values would be. I then posted asking for others to provide the values they saw (I got about half a dozen responses, all for XPSP2), and I even did a search for folks who were doing debugging. From all of this, I created a simple table of the various values for the kernel base for Windows 2000 through Windows 2003 SP1 (I found NT4.0, as well, but that's commented out in the code).
Here's what the output of kern.pl looks like when run against one of the DFRWS 2005 Memory Challenge dumps:
C:\Perl\memory>kern.pl d:\hacking\dfrws-mem1.dmp
kern - Determine OS from a Windows RAM Dump (v.0.1_20060914)
Ex: kern
File Description : NT Kernel & System
File Version : 5.00.2195.1620
Internal Name : ntoskrnl.exe
Original File Name :
Product Name : Microsoft(R) Windows (R) 2000 Operating System
Product Version : 5.00.2195.1620
So, at this point, consider this code an initial, alpha release. I've got some clean up and documenting to do, as well as adding functionality (verbose/debugging output, etc.). But it works, so give it a shot, and let me know what you think.
OS Detection, Explained
Reviewed by 0x000216
on
Thursday, September 14, 2006
Rating: 5