search

CERT-Polska / drakvuf-sandbox

DRAKVUF Sandbox - automated hypervisor-level malware analysis system
https://drakvuf-sandbox.readthedocs.io/
Other
1.03k stars 143 forks source link

Problems in Windows 10 DLL profile generation #792

Open pwnosaur opened 1 year ago

pwnosaur commented 1 year ago

This issue is regarding the profile generation from drakpdb & pdbconv , I have been trying numerous times to generate profiles for modules or DLLs from Windows 10 , but they always fail due to the unhandled leaf type, after some searching, I understand this is because of Microsoft allowing C++ types into modules such as win32k.sys and other DLLs/modules , yet I can't find a proper way to generate the profiles for the required DLLs. I tried checking out DIA , but still unable to get grasp on how to use it to build a profile.

I have tried different Windows 10 builds & version :

I'm trying to build profiles for the dlls to be able to use drakvuf plugins (ole32 for filetracer , etc ... ), if there are pre-existing profiles for a specific version would be greatif someone could share those and I will use them with the appropriate windows version.

Also if anyone has an idea why I'm encountring this issue although I've tried using the recommended windows 10 2004 , hopefully the answers shared in this issue might help and be sort of guide for anyone who encounters the same issue.

BonusPlay commented 1 year ago

We are aware that drakpdb (component used in drakvuf-sandbox to generate profiles for DLLs) has been broken for some time now (probably something change in the PDB format / microsoft API). We are looking for a replacement for this module.

As a temporary workaround, I can suggest manual intervention and performing steps from https://drakvuf.com under Optional: Generate usermode profiles section. Generated JSONs should work.

pwnosaur commented 1 year ago

As a temporary workaround, I can suggest manual intervention and performing steps from https://drakvuf.com under Optional: Generate usermode profiles section. Generated JSONs should work.

Well that does not work either, even on older versions as I mentioned , which is why I'm confused , if it's pdb format issue then this should be with newer versions of pdbs and dlls , I'm actually trying it with older versions of windows 10, more specifically versions 2004 and prior versions (1903 , 1709) , these versions should work fine.

Traceback (most recent call last):
  File "volatility3/framework/symbols/windows/pdbconv.py", line 1081, in <module>
    converted_json = convertor.get_json()
  File "volatility3/framework/symbols/windows/pdbconv.py", line 505, in get_json
    self.read_necessary_streams()
  File "volatility3/framework/symbols/windows/pdbconv.py", line 214, in read_necessary_streams
    self.read_tpi_stream()
  File "volatility3/framework/symbols/windows/pdbconv.py", line 222, in read_tpi_stream
    type_references = self._read_info_stream(2, "TPI", self.types)
  File "volatility3/framework/symbols/windows/pdbconv.py", line 285, in _read_info_stream
    output, consumed = self.consume_type(module, offset, length)
  File "volatility3/framework/symbols/windows/pdbconv.py", line 829, in consume_type
    raise TypeError(f"Unhandled leaf_type: {leaf_type}")
TypeError: Unhandled leaf_type: 4105

--guid 18a8956bbc94bca6a7e9baed59c73e881 -p ole32.pdb -o ole32.json

Same issue happens with win32k.sys , apparently @tklengyel encountered a similar issue with win32k.sys with Windows 10 1903 , yet was there anyone able to create profiles for ole32 or other dlls ? ole32 is required for filetracer , and some other profiles are required for other plugins to work properly.