Closed psrok1 closed 2 months ago
Actually, even backported version has problems with drakpdb. Debug log from startup for Win10:
1721918603.367763 Windows kernel base address is 0xfffff80049800000
1721918603.367784 Failed to find address for symbol KiInitialPCR
1721918603.367977 Failed to find offset for _EPROCESS:Wow64Process
1721918603.367992 Failed to find offset for VadRoot:BalancedRoot
1721918603.368038 Failed to find offset for _MMVAD:LeftChild
1721918603.368096 Failed to find offset for _MMVAD:RightChild
1721918603.368387 Failed to find offset for _KPCR:PrcbData
1721918603.368442 Failed to find offsets for array of structure names and subsymbols.
1721918603.368449 Failed to find offsets for of bitfield: _MMVAD_FLAGS:Protection.
1721918603.368467 Failed to find offsets for of bitfield: _MMVAD_FLAGS:MemCommit.
1721918603.368472 Failed to find offsets for of bitfield: _MMVAD_FLAGS1:MemCommit.
1721918603.368476 Failed to find offsets for of bitfield: _MMVAD_FLAGS:VadType.
1721918603.368479 Failed to find offsets for of bitfield: (null):(null).
1721918603.368483 Failed to find offsets for of bitfield: _MMVAD_FLAGS:CommitCharge.
1721918603.368497 Failed to find offsets for of bitfield: _MMVAD_FLAGS1:CommitCharge.
There are few major problems with current drakpdb-based implementation:
Drakvuf and libvmi documentation supports Volatility3 IST format and recommends using
volatility3.framework.symbols.pdbconv
internal module for parsing PDB into profile (https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/windows/pdbconv.py). The problem is that volatility3 is focused on parsing kernel structures and it doesn't work well for user-mode DLLs.Here is example of exception that is thrown when we try to parse
ole32.pdb
from Windows 10:It would be OK if volatility3 would ignore unimplemented leaf types (like drakpdb does). Or we can make a PR to the volatility3 that implements missing leaf types. But the problem is still the same: we can't rely on vol3 support for DLLs and we don't have any stable release that magically resolves our issues with parsing DLLs.
That's why we need to think about an alternative way to produce good enough profile in vol3 IST format, without implementing yet another PDB parser :sweat_smile: