Is it possible to figure Linux kernel version from a snapshot of system physical memory?

I was wondering if given a snapshot of the physical memory os system running Linux OS it is possible the figure out what is the Kernel version it was running? I don't have access to the image or anything.

Solution

The kernel version is into the physical memory dump of the kernel as returned by /proc/version from the struct new_utsname defined into include/uapi/linux/utsname.h. I suggest to first try the 'strings' command on your kernel dump and try to identify part of the pattern usually returned by /proc/version.

The Linux source init/version.c define this:

const char linux_banner[] =
"Linux version " UTS_RELEASE " (" LINUX_COMPILE_BY "@"
LINUX_COMPILE_HOST ") (" LINUX_COMPILER ") " UTS_VERSION "\n"

So a search of the string "Linux version" into the dump should give you the location of the linux_banner string that contain the information returned by /proc/version.

Which direction does memory-mapped segment of a process's virtual address space grow by default?
Where to find device-tree?
how to identify the priority range in Linux?
Can the pages obtained by get_user_pages() be directly recycled or swapped out without using put_user_pages()?
Determine if sk_buff is L2 or L3
How to get current hour (time of day) in linux kernel space
C - Linux proc file syncing / write deferred
what is the function of CONFIG_X86_WP_WORKS_OK?
Implementation of Signals under Linux and Windows?
How do I use spi-gpio driver in Linux?
How do I add a proper description of the spi bus in DTS?
makefile - what to do with the kconfig file
How to get device enumeration from struct device in Linux kernel module code
‘proc_fops’ has an incomplete type ‘struct proc_ops’
Yocto: how to add new device tree?
How can I override a system call table entry with my own function?
confused by sys_stat, sys_statfs syscall works
Booting a newly compiled linux kernel
'ps' without kernel threads
What is the signification of LDFLAGS
Why do we need to call poll_wait in poll?
Getting uname information from a compressed kernel image
Is it correct to use Linux userspace interrupts with non-blocking reads?
What is the purpose of class and class device?
how to write cross-version/platform Linux kernel modules?
Why did bootsect move itself to 0x90000 in linux(x86)?
Trying to cross-compile the driver during kernel compilation; the driver does not compile
How to instantiate an ARM-based VM through Linux KVM API on x86?
I want to use mod_timer to timer for 10 milliseconds, but the result is always 20 milliseconds
Why is pr_debug of the Linux kernel not giving any output?