[FYI] A quick experiment with ReactOS as a qemu guest

[misutoneko]

Hi,

Okay not an issue and I realize this may not be a very interesting forensics target but... I noticed that ReactOS as a qemu guest kinda works, too.

The function FindNtoScan32() needs a little bit of patching:

• There's no "POOLCODE", so search for ".edata\0\0" instead
• Some string checking needs to check "ntoskrnl.exp.dll", rather than "ntoskrnl.exe"

There's probably more than just that, but it's enough to get the mount going. The changes only apply to version 0.3.13 of the LiveCD btw. (I tried a couple of more recent versions, but with them the MemProcFS initialization fails at various stages.)

The main problem I've noticed is that I couldn't replicate your Disobey notepad demo since there's no HEAP entries in vmemd. Could be a difference between ReactOS and real Windows, or simply some oversight on my part.

[ufrisk]

This is way cool that you got it to work with ReactOS 👍

For me keeping track of all offsets and different hard codings and special cases everywhere is already a lot of work though. I'm not going to add ReactOS support to MemProcFS itself unfortunately. Not unless it picks up some serious use percentage wise.

Having a ReactOS compatible fork would probably be the best way to go forward with regards to this.