MBA icon indicating copy to clipboard operation
MBA copied to clipboard

Published 20 hours ago verified publisher icon GlacierW

Is it possible to support Windows 32-bit guest OS?

Open niucool opened this issue 6 years ago • 2 comments

Thanks for the great project. I wonder is it possible to support Windows 32-bit guest OS? What should I do if I want to implement it?

niucool avatar Mar 22 '18 19:03 niucool

Hi niucool, it is possible to support Windows 32-bit guest OS. In fact, the previous version of MBA is dedicated for WinXP x86. It is then upgraded to support Win10 x64 and open-sourced.

However, the implementation is not fully backward-compatible. The main concern is the memory forensics (MemFrs) module of MBA. To interpret Guest OS info. from low-level hardware data bytes, lots of OS-dependent data structures are required. Moreover, certain raw bytes parsing is coded for Win10 x64 only. That is, you need to prepare another set of Win x86 data structures spec. and also modify certain data interpretation code of memfrs.

For other features implemented in the instruction-level fashion such as DIFT, it should be re-usable for 32-bit platform. But we did not give it a try in practice. If instruction-level based feature is what you are seeking for, you may try it on demands.

Any comments are welcome. Thanks for your attention in this project.

-- MBA team

GlacierW avatar Mar 23 '18 09:03 GlacierW

Thank you very much for your informative response. I will go through the source code and have a try of your current version first. Hopefully your team could make it better.

niucool avatar Mar 23 '18 22:03 niucool