[2024-06-14 09:06:13,320][INFO] Already deleted /var/lib/drakrun/profiles/amd64_gdiplus_profile
[2024-06-14 09:06:13,320][ERROR] Unexpected exception from create_rekall_profile!
Traceback (most recent call last):
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 806, in create_missing_profiles
create_rekall_profile(injector, profile)
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 556, in create_rekall_profile
raise Exception("Some error occurred in injector")
Exception: Some error occurred in injector
Question is whether Unexpected exception from create_rekall_profile could be caused because of windows 10 installation or could they be solved somehow differently. A direction where to dig further would be appreciated.
In a sense this is similar to #900 but with older drakvuf version installed.
In the mwdb web interface it is possible to submit a sample and analysis is marked as done.
Versions
karton-playground 8187166323ecc6e44f66bd9789a7fe4817936bd7 (master branch)
Started with docker compose up. Configuration files /etc/drakcore/config.ini and /etc/drakrun/config.ini adjusted to use dockerised redis and minio.
drakvuf b87afcd258cbcdb528ead0722d98d8a8692a7467 (v0.8-backports branch)
drakvuf-sandbox 4b1551b7479f97353165941d802b935628977aec (master branch)
From drakrun venv start drakrun: python drakrun/main.py 1
Errors during postinstall step:
...
[2024-06-14 09:06:11,458][INFO] Deleted /var/lib/drakrun/profiles/wow64_kernel32_profile
[2024-06-14 09:06:11,459][INFO] Deleted /var/lib/drakrun/profiles/wkernel32.pdb
[2024-06-14 09:06:11,459][INFO] Fetching rekall profile for Windows/System32/drivers/tcpip.sys
[2024-06-14 09:06:11,598][DEBUG] stderr: DRAKVUF injector v1.0-git+-1 Copyright (C) 2014-2022 Tamas K Lengyel
[2024-06-14 09:06:11,599][DEBUG] {'Plugin': 'inject', 'TimeStamp': '1718355971.572624', 'Method': 'ReadFile', 'Status': 'InitFail'}
[2024-06-14 09:06:11,599][INFO] Already deleted /var/lib/drakrun/profiles/amd64_tcpip_profile
[2024-06-14 09:06:11,599][ERROR] Unexpected exception from create_rekall_profile!
Traceback (most recent call last):
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 806, in create_missing_profiles
create_rekall_profile(injector, profile)
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 556, in create_rekall_profile
raise Exception("Some error occurred in injector")
Exception: Some error occurred in injector
[2024-06-14 09:06:11,599][INFO] Fetching rekall profile for Windows/System32/sspicli.dll
[2024-06-14 09:06:11,740][DEBUG] stderr: DRAKVUF injector v1.0-git+-1 Copyright (C) 2014-2022 Tamas K Lengyel
[2024-06-14 09:06:11,740][DEBUG] {'Plugin': 'inject', 'TimeStamp': '1718355971.713004', 'Method': 'ReadFile', 'Status': 'InitFail'}
[2024-06-14 09:06:11,740][INFO] Already deleted /var/lib/drakrun/profiles/amd64_sspicli_profile
[2024-06-14 09:06:11,740][ERROR] Unexpected exception from create_rekall_profile!
Traceback (most recent call last):
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 806, in create_missing_profiles
create_rekall_profile(injector, profile)
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 556, in create_rekall_profile
raise Exception("Some error occurred in injector")
Exception: Some error occurred in injector
...
[2024-06-14 09:06:13,320][INFO] Fetching rekall profile for Windows/winsxs/x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80/GdiPlus.dll
[2024-06-14 09:06:13,461][DEBUG] stderr: DRAKVUF injector v1.0-git+-1 Copyright (C) 2014-2022 Tamas K Lengyel
[2024-06-14 09:06:13,461][DEBUG] {'Plugin': 'inject', 'TimeStamp': '1718355973.435341', 'Method': 'ReadFile', 'Status': 'InitFail'}
[2024-06-14 09:06:13,462][INFO] Already deleted /var/lib/drakrun/profiles/x86_gdiplus_profile
[2024-06-14 09:06:13,462][ERROR] Unexpected exception from create_rekall_profile!
Traceback (most recent call last):
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 806, in create_missing_profiles
create_rekall_profile(injector, profile)
File "/home/user/drakvuf/drakvuf-sandbox/drakrun/drakrun/draksetup.py", line 556, in create_rekall_profile
raise Exception("Some error occurred in injector")
Exception: Some error occurred in injector
Logs during sample analysis:
[2024-06-14 10:18:41,904][INFO] Received new task - 3dd66f23-f7cc-4dd0-89af-067257cee4e6
[2024-06-14 10:18:41,920][INFO] Running on: drakvufbox
[2024-06-14 10:18:41,920][INFO] Sample SHA256: 2e368631139e75aa6cce30aef3ccdfe59dc2131a7f5166fa5b0e36c969eb5ada
[2024-06-14 10:18:41,921][INFO] Analysis UID: 3dd66f23-f7cc-4dd0-89af-067257cee4e6
[2024-06-14 10:18:41,921][INFO] Snapshot SHA256: c43e60f8ab3ee40424a911802af5b3adb2867eff4f472aa127c546dc2cd27827
[2024-06-14 10:18:41,965][INFO] Trying to analyze sample (attempt 1/3)
Dnsmasq version 2.90 Copyright (c) 2000-2024 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-UBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset no-nftset auth cryptohash DNSSEC loop-detect inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
Formatting '/var/lib/drakrun/volumes/vm-1.img', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=34359738368 backing_file=/var/lib/drakrun/volumes/vm-0.img backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
Loading new save file /var/lib/drakrun/volumes/snapshot.sav (new xl fmt info 0x3/0x0/2177)
Savefile contains xl domain config in JSON format
Parsing config from /etc/drakrun/configs/vm-1.cfg
xc: info: Found x86 HVM domain from Xen 4.16
xc: info: Restoring domain
xc: info: Restore successful
xc: info: XenStore: mfn 0xfeffc, dom 0, evt 1
xc: info: Console: mfn 0xfefff, dom 0, evt 2
tcpdump version 4.99.1
libpcap version 1.10.1 (with TPACKET_V3)
OpenSSL 3.0.2 15 Mar 2022
tcpdump: listening on vif43.0-emu, link-type EN10MB (Ethernet), snapshot length 262144 bytes
1718360341.212249 DRAKVUF v1.0-git+-1 Copyright (C) 2014-2022 Tamas K Lengyel
tcpdump: pcap_loop: The interface disappeared
12 packets captured
15 packets received by filter
0 packets dropped by kernel
Critical error in removing int3
Critical error in removing int3
Critical error in removing int3
Critical error in removing int3
...
Critical error in removing int3
VMI_ERROR: Could not find EPROCESS struct for pid = 4.
VMI_ERROR: Could not find EPROCESS struct for pid = 4.
Critical error in removing int3
...
Critical error in removing int3
Critical error in removing int3
[2024-06-14 10:29:03,535][INFO] Uploading artifacts...
[2024-06-14 10:29:03,796][INFO] Task done - 3dd66f23-f7cc-4dd0-89af-067257cee4e6
Describe the bug
I am encountering issues during postinstall step.
Question is whether
Unexpected exception from create_rekall_profilecould be caused because of windows 10 installation or could they be solved somehow differently. A direction where to dig further would be appreciated. In a sense this is similar to #900 but with older drakvuf version installed. In the mwdb web interface it is possible to submit a sample and analysis is marked as done.Versions
karton-playground 8187166323ecc6e44f66bd9789a7fe4817936bd7 (master branch) Started with
docker compose up. Configuration files/etc/drakcore/config.iniand/etc/drakrun/config.iniadjusted to use dockerisedredisandminio. drakvuf b87afcd258cbcdb528ead0722d98d8a8692a7467 (v0.8-backports branch) drakvuf-sandbox 4b1551b7479f97353165941d802b935628977aec (master branch)How to reproduce
Steps to reproduce the behavior:
draksetup install /home/user/windows10.iso --unattended-xml /home/user/autounattend.xml --memory 12288 --vcpus 2 --disk-size 32Gdraksetup postinstallpython drakrun/main.py 1Errors during postinstall step:
Logs during sample analysis: