`draksetup postinstall` shows logs about failed inject?

andrisr223 commented 4 months ago

Describe the bug

draksetup postinstall shows logs about failed inject but finishes successfully. This seems to be a minor issue. Can this affect analysis itself?

How to reproduce

Steps to reproduce the behavior:

Run `draksetup install windows.iso --unattended-xml /home/andrisr/autounattend.xml --memory 12288 --vcpus 2 --disk-size 32G
Run draksetup postinstall

Most of the steps are successful. In one case (for combase.dll) the action fails.

Output of the draksetup postinstall command

[2024-05-31 08:37:37,169][INFO] Fetching rekall profile for Windows/System32/combase.dll
[2024-05-31 08:37:38,997][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443
[2024-05-31 08:37:39,347][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/combase.pdb/a5fffa026286992de4829636416ec4d11/combase.pdb HTTP/1.1" 302 0
[2024-05-31 08:37:39,348][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard64.blob.core.windows.net:443
[2024-05-31 08:37:40,257][DEBUG] https://vsblobprodscussu5shard64.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/A9C3917DB7ECE3D5213875D8C7F10A46F8DF65729FB4E2D983486F774BDB495900.blob?sv=2019-07-07&sr=b&si=1&sig=q88tl9WzdNOcypnmXYIvV2m3MgjLdx481dvyKmmtkt8%3D&spr=https&se=2024-06-01T09%3A39%3A45Z&rscl=x-e2eid-d31d9877-fdf64384-8b365ac6-00738e04-session-dc319fdd-e04c43cc-81b0992a-480b91fb HTTP/1.1" 200 91148288
[2024-05-31 08:38:22,292][DEBUG] Parsing PDB into JSON profile...
[2024-05-31 08:39:25,081][DEBUG] stdout: {"Plugin": "inject", "TimeStamp": "1717144657.467639", "Method": "ReadFile", "Status": "Success", "ProcessName": "C:\\Windows\\System32\\combase.dll", "Arguments": "", "InjectedPid": 0, "InjectedTid": 0}

[2024-05-31 08:39:25,082][DEBUG] stderr: DRAKVUF injector v1.1-643c06d Copyright (C) 2014-2024 Tamas K Lengyel

[2024-05-31 08:39:25,082][DEBUG] rc: 0
[2024-05-31 08:39:25,131][DEBUG] Traceback (most recent call last):
  File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 569, in create_rekall_profile
    profile = make_pdb_profile(
  File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/lib/drakpdb.py", line 378, in make_pdb_profile
    pdb = pdbparse.parse(filepath)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 554, in parse
    return PDB7(f, fast_load)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 521, in __init__
    self.read_root(self.root_stream)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 460, in read_root
    pdb_cls(
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 154, in __init__
    self.load()
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 276, in load
    debug = dbi.parse_stream(self.stream_file)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/dbi.py", line 160, in parse_stream
    Name = ("Name" / CString(encoding = "utf8")).parse(Names[NameRef[j]:])
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 304, in parse
    return self.parse_stream(io.BytesIO(data), **contextkw)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 316, in parse_stream
    return self._parsereport(stream, context, "(parsing)")
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 328, in _parsereport
    obj = self._parse(stream, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 2468, in _parse
    return self.subcon._parsereport(stream, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 328, in _parsereport
    obj = self._parse(stream, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 715, in _parse
    return self._decode(obj, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 1490, in _decode
    return obj.decode(self.encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa7 in position 0: invalid start byte

[2024-05-31 08:39:25,131][WARNING] [SKIPPING DLL] Unexpected exception while creating rekall profile for Windows/System32/combase.dll
[2024-05-31 08:39:25,131][DEBUG] Traceback (most recent call last):
  File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 569, in create_rekall_profile
    profile = make_pdb_profile(
  File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/lib/drakpdb.py", line 378, in make_pdb_profile
    pdb = pdbparse.parse(filepath)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 554, in parse
    return PDB7(f, fast_load)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 521, in __init__
    self.read_root(self.root_stream)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 460, in read_root
    pdb_cls(
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 154, in __init__
    self.load()
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/__init__.py", line 276, in load
    debug = dbi.parse_stream(self.stream_file)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/pdbparse/dbi.py", line 160, in parse_stream
    Name = ("Name" / CString(encoding = "utf8")).parse(Names[NameRef[j]:])
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 304, in parse
    return self.parse_stream(io.BytesIO(data), **contextkw)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 316, in parse_stream
    return self._parsereport(stream, context, "(parsing)")
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 328, in _parsereport
    obj = self._parse(stream, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 2468, in _parse
    return self.subcon._parsereport(stream, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 328, in _parsereport
    obj = self._parse(stream, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 715, in _parse
    return self._decode(obj, context, path)
  File "/home/user/drakrun-venv/lib/python3.10/site-packages/construct/core.py", line 1490, in _decode
    return obj.decode(self.encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa7 in position 0: invalid start byte

[2024-05-31 08:39:25,133][INFO] Deleted /var/lib/drakrun/profiles/amd64_combase_profile
[2024-05-31 08:39:25,133][INFO] Deleted /var/lib/drakrun/profiles/combase.pdb

psrok1 commented 4 months ago

Hi!

This error is non-critical as profile of this file is not strictly required by any Drakvuf plugin.

Actually I need to investigate why we even generate it, because apimon/libusermode hooks are doing classic PEB + export table lookup and don't need any external profile (@BonusPlay, am I correct?). Edit: I guess it is collected mainly for apiscout integration.

andrisr223 commented 3 months ago

Thanks for clarification. I will close this as this does not affect overall analysis.

CERT-Polska / drakvuf-sandbox

`draksetup postinstall` shows logs about failed inject? #900