Re: [Vol-users] Determine Windows version from raw image?
30 Oct
2008
30 Oct
'08
11:20 a.m.
On Thu, Oct 30, 2008 at 11:18 PM, AAron Walters <awalters(a)4tphi.net> wrote:
Jun,
Thanks for the email. As with anything in memory analysis, there are a
number of different techniques that can be used. Each method having its own
benefits and limitations. For example, Harlan used a technique in a tool
called kern.pl which performed OS detection by testing a list of known base
addresses for the kernel and subsequently parsing the ResourceTable. He
also released a tool called ostest.pl which looked for the System and Idle
EPROCESS objects in memory and used offsets of members to guess the OS.
I found that, thanks!
I know of someone else who would sample the different
types of objects found
in memory and use that to determine the OS version.
Do you have the link?
So the answer is yes. It is possible using a number of
different techniques.
It just depends on what you are trying to do, what your performance
constraints are, and what information you are willing to trust? If you end
up coming up with a new technique or finding a technique that works well for
you, I would encourage you to submit a plugin.
Certainly I would do that if possible.
Thanks,
J
On Thu, 30 Oct 2008, Jun Koi wrote:
Hi,
Suppose that I have a raw memory image of a particular Windows
machine. Is there any way to determine its version? It can be W2k,
WinXP SP2 or SP3 or Vista.
Perhaps we can look into some places into the image to get those
information out?
Thanks,
J
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users