All,
I'm working on a script to determine the OS from a Windows RAM dump. So far, it seems to be working well, though I've had a bit of a hiccup on a .vmem file from my Windows 2003 SP1 VMWare session.
I'd be interested in running the code against other dumps, so if you have one available that you're willing to share, please send me a URL/link to download it.
Thanks,
Harlan
Harlan,
I've been working on the problem of physical memory analysis on and off for about a year now. I've found a reliable way to auto-detect the windows version from the physical memory image is to perform shallow thread scanning (I do it in a similar way to Andreas Schuster).
If you look for thread objects on 4-byte boundaries but only using the Type and Size fields, you can try each of the Size fields for the different versions of Windows. There may be an issue as the Size field is the same between XP and XP SP2 whereas the offsets are different, but apart from that it seems to work fine. You get a few false positives, but the thread candidate counts point to the correct version of Windows quite clearly.
Regards,
Tom
Tom,
Thanks for the response.
I'm using a brute-force approach similar to what Andreas first mentioned, but I'm using an approach to OS detection that Jesse Kornblum mentioned; ie, locating the System process, and doing checks from there.
So far, it works well for Win2K and XP/XPSP2..no false positives yet. I am having some trouble with Win2K3 SP1, and so far, only one person has come forward and offered a Win2K3 RAM dump.
I was unaware of Jesse's talk - I've been working pretty much on my own at this and then over the last few months it's become rather a big topic! I'm downloading the podcast now to learn more.
For the time being I'll stick with my technique as I've never had a false positive, so I'm pretty convinced it works correctly. I'd offer you a RAM dump but I have no mechanism by which to upload it from work, sorry.
Well I listened to the interview, but it was a little light on specific details (although you can't blame them - it's an audio show, and a great one at that!).
Do you know where the paper is that they reference? Other than that, which part of the system object are you having problems with? I may be able to help..
…I listened to the interview…
Do you mean the Cyberspeak podcast? I'll have to go back and give it a listen, as I don't remember what paper you're referring to.
…which part of the system object are you having problems with?
Sorry, I'm not sure what you're referring to. I don't remember (and can't find) having said anything about having trouble with a "system object".
If you've got any information on locating kernel objects, I'd appreciate hearing about that.
I've not only parsed the EPROCESS and ETHREAD blocks, but dumped process details, memory and even retrieved the binary image. My code for Win2K systems is up on SourceForge.
I know of your scripts.. I've been watching you publish them every so often and wishing they'd been out earlier, maybe they would have saved me some time )
I referred to the EPROCESS struct for "System" as an object, because it isn't a real process, as you probably know. I assumed you were having problems relating to reading information regarding this object on Windows 2003 SP1, as you mentioned them both in your posts.
From the podcast, I noticed that Jesse said he could pretty much just run binaries after he extracts them. From my own work in doing the same thing, I don't really see how that is possible, even though I perform lots of fixups on the binaries. I'd be interested to see his techniques, although once I completed binary extraction I left it at that, because it's probably best to pick it apart in IDA anyway.
Which Kernel objects are you interested in specifically? Do you mean just obtaining the structure definitions (use WinDbg) or scanning for them in memory?
I assumed you were having problems relating to reading information regarding this object on Windows 2003 SP1…
Not reading the EPROCESS blocks…locating them. The "magic number" that works for Win2000, XP and 2003 doesn't seem to work for Win2K3 SP1.
Re the binary images…I don't remember what Jesse said exactly, but I haven't been able to retrieve the original binary, exactly as you've found. I started down the road of hashing each section of the recovered file and comparing those to the same sections in the original file.
Which Kernel objects are you interested in specifically? Do you mean just obtaining the structure definitions (use WinDbg) or scanning for them in memory?
The short answer is "yes". 😉 I'm interested in any useful kernel object, it's structure (I have WinDbg installed). For example, in his write-up for DFRWS 2005 Memory Challenge, George Garner mention the interface list, etc., but I haven't been able to locate a name for them.
I'd like to be able to extract things like interface lists, network connections, etc., from the dumps. Any assistance you could provide would be greatly appreciated.
Harlan
tgoldsmith,
I'm listening to the CyberSpeak podcast from 3 June, and Jesse does say "almost" and "you'll see parts of the program that were running at the time" when he talks about pulling the binary executable image from the RAM dump.
Harlan