Re: [Vol-users] Determine Windows version from raw image?

Jun, Thanks for the email. As with anything in memory analysis, there are a number of different techniques that can be used. Each method having its own benefits and limitations. For example, Harlan used a technique in a tool called kern.pl which performed OS detection by testing a list of known base addresses for the kernel and subsequently parsing the ResourceTable. He also released a tool called ostest.pl which looked for the System and Idle EPROCESS objects in memory and used offsets of members to guess the OS. I know of someone else who would sample the different types of objects found in memory and use that to determine the OS version. These are just a few of the techniques but there are many more. So the answer is yes. It is possible using a number of different techniques. It just depends on what you are trying to do, what your performance constraints are, and what information you are willing to trust? If you end up coming up with a new technique or finding a technique that works well for you, I would encourage you to submit a plugin. Thanks, AW On Thu, 30 Oct 2008, Jun Koi wrote: