No CR3 found - Githubissues

ExaTrack / Kdrill

Python tool to check rootkits in Windows kernel

BSD 3-Clause "New" or "Revised" License

162 stars 18 forks source link

No CR3 found #1

Closed Zero2A11 closed 1 month ago

Zero2A11 commented 1 month ago

Kdrill> python.exe .\Kdrill.py ..\memory\win10.raw -vv
  [!] CR3 is invalid, try fo foud a new CR3
  [!] CR3 not found :(
  [!] No CR3 found :-(
  [*] No CR3 set trying to find the a new CR3
  [!] CR3 not found :(
  [!] Shit, CR3 not found :-( Go to crawl CR3 in the wild !
#>>

My win10.raw was exported using winpmem_mini_x64_rc2 in the vmware virtual machine of win10

Heurs commented 1 month ago

Is it a full raw dump? No header like a crashdump image? I don't already support full raw dump, but It can be implemented (todo list added).

Heurs commented 1 month ago

Raw support added, is it good in your case (pushed in master)? (I tested with winpmem_mini_x64_rc2)