search

SekoiaLab / Fastir_Collector

https://sekoialab.github.io/Fastir_Collector/
GNU General Public License v3.0
505 stars 126 forks source link

Ram dump not working on latest Windows 10 build #26

Open NaykiSec opened 6 years ago

NaykiSec commented 6 years ago

Hello, I get errors when trying to dump the ram with the following commands : .\FastIR_x64.exe --packages dump --dump ram

OS : Windows 10 Pro x64 Version : 1803 Build : 17134.1

Windows 10 iso has been download with the MediaCreaTool provided by microsoft

The output of the FastIr file generated after launch (reformated)

2018-05-14 19:17:05,390 - FastIR - INFO - Create Shadow Copy for C:\ {F4162237-1799-43C3-AD6D-89222870E318}
2018-05-14 19:17:05,390 - FastIR - ERROR - (1073, 'CreateService', 'The specified service already exists.')
2018-05-14 19:17:05,421 - FastIR - ERROR - Traceback (most recent call last):
  File "main.py", line 396, in main
  File "dump\dump.py", line 146, in csv_export_ram
error: (2, 'CreateFile', 'The system cannot find the file specified.')
2018-05-14 19:17:05,421 - FastIR - INFO - Delete Shadow Copy {F4162237-1799-43C3-AD6D-89222870E318}
2018-05-14 19:17:05,500 - FastIR - INFO - Check here C:\Users\hdcase\Documents\Fastir_Collector-master\dist\output\2018-05-14_191658 for yours results

A service called pmem already exist in Windows10, at first i was thinking that this was the problem, so i tried to rename the service created by something else (pmem1) but it didn't solve the problem. I also try to change the driver and other python wichtcraft but without success :)

It seems that the CreateFile function in dump.py line 139 is not working. (Return this error -> error: (2, 'CreateFile', 'The system cannot find the file specified.') ) fd = win32file.CreateFile( "\\\\.\\pmem", win32file.GENERIC_READ | win32file.GENERIC_WRITE, win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE, None, win32file.OPEN_EXISTING, win32file.FILE_ATTRIBUTE_NORMAL, None)

I didn't manage to solve this problem alone yet maybe you have a guess on how to solve it :)

Don't hesitate to ask if you need more information. I will continue to try to solve this problem :)

sebdraven commented 6 years ago

Hi NaykiSec, Two questions: Are you administrator when you launch FastIR ? have you test the dump of ram with winpmem 1.6 ? We use directly the driver.

Thanks for your feedback

Seb

NaykiSec commented 6 years ago

Hello sebdraven,

Yes i'm administrator when i launch FastIR. I think i used the last version of winpmem.

After some research it seems that the problem don't come from FastIR but come from winpmem. Here is the issue open on the rekall project. https://github.com/google/rekall/issues/254

Problem on this issue is about Win7 x32 but it's exactly the same behavior i face.

As it's not a FastIR issue maybe i can close this topic ?

Regards,