Is it possible to support Windows 32-bit guest OS? #54
Comments
|
Hi niucool, it is possible to support Windows 32-bit guest OS. In fact, the previous version of MBA is dedicated for WinXP x86. It is then upgraded to support Win10 x64 and open-sourced. However, the implementation is not fully backward-compatible. The main concern is the memory forensics (MemFrs) module of MBA. To interpret Guest OS info. from low-level hardware data bytes, lots of OS-dependent data structures are required. Moreover, certain raw bytes parsing is coded for Win10 x64 only. That is, you need to prepare another set of Win x86 data structures spec. and also modify certain data interpretation code of memfrs. For other features implemented in the instruction-level fashion such as DIFT, it should be re-usable for 32-bit platform. But we did not give it a try in practice. If instruction-level based feature is what you are seeking for, you may try it on demands. Any comments are welcome. -- MBA team |
|
Thank you very much for your informative response. I will go through the source code and have a try of your current version first. |
Thanks for the great project. I wonder is it possible to support Windows 32-bit guest OS? What should I do if I want to implement it?
The text was updated successfully, but these errors were encountered: