search

TimsterMon / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

winpmem_1.4 cannot load the driver on windows 7 #416

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hello,
I'm having troubles running winpmem_1.4 on my computer.
When I try a simple "winpmem_1.4.exe test.raw" with administrator rights, I get 
the following error:

Driver Unloaded.
Error: StartService(), Cannot start the driver.
Driver Unloaded.

(I am running Windows 7 (64 bits))

Best regards,
Maxime H.

Original issue reported on code.google.com by mhels...@gmail.com on 28 Apr 2013 at 7:54

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 28 Apr 2013 at 11:30

GoogleCodeExporter commented 9 years ago 
from what I heard, 1.4 didn't work on any x64 because of a signed cert issue. 
try 1.4.1 which is available in the downloads. if you still have issues, feel 
free to re-open or write on the vol-users list (or contact the author of 
winpmem directly).

Original comment by michael.hale@gmail.com on 5 May 2013 at 9:23

GoogleCodeExporter commented 9 years ago 
are we sure the winpmem-1.4.1.zip download is actually 1.4.1?  When you 
download it it unzips to a folder named winpmem-1.4, and when you run it the 
version displayed is 1.3.

In any case this is what I see as an admin under Win 7 x64 (with winpmem_write)

c:\test\winpmem-1.4>winpmem_write_1.4.exe -l -w
Driver Unloaded.
Error: StartService(), Cannot start the driver.
Failed to set acquisition mode.

Original comment by robdewhi...@gmail.com on 21 Nov 2013 at 9:05

GoogleCodeExporter commented 9 years ago 
You should ask Mike Cohen directly: scudette@gmail.com

He's the only one who would know the answer.

Original comment by jamie.l...@gmail.com on 21 Nov 2013 at 9:07

GoogleCodeExporter commented 9 years ago 
Are you sure you are running this as administrator?

If you can not start the driver you should look at the event log and there will 
be a message there with more information.

Original comment by scude...@gmail.com on 21 Nov 2013 at 9:19

GoogleCodeExporter commented 9 years ago 
I am absolutely sure I am an admin.
C:\triage\winpmem-1.4>whoami
win-jlq5dm85dc1\tester

C:\triage\winpmem-1.4>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the compu
ter/domain

Members

-------------------------------------------------------------------------------
Administrator
tester
The command completed successfully.

C:\triage\winpmem-1.4>winpmem -l
Driver Unloaded.
Loaded Driver C:\Users\tester\AppData\Local\Temp\pmeA0A7.tmp.
Setting acquitision mode to 1
CR3: 0x0000187000
 4 memory ranges:
Start 0x00001000 - Length 0x0009E000
Start 0x00100000 - Length 0xBFDE0000
Start 0xBFF00000 - Length 0x00100000
Start 0x100000000 - Length 0x40000000

C:\triage\winpmem-1.4>winpmem -u
Driver Unloaded.

C:\triage\winpmem-1.4>winpmem_write_1.4.exe -l
Driver Unloaded.
Error: StartService(), Cannot start the driver.
Failed to set acquisition mode.

C:\triage\winpmem-1.4>

Original comment by robdewhi...@gmail.com on 22 Nov 2013 at 3:37

GoogleCodeExporter commented 9 years ago 
Ah I see the problem - you are trying to load the winpmem_write.exe which is 
not going to work on a normal machine. The winpmem with the write support 
enabled is not signed and will not load on a regular machine (This is a 
security consideration).

You need to enable your machine to load a test signed driver to be able to play 
with the write support. This is quite simple and described in the README file.

Original comment by scude...@gmail.com on 22 Nov 2013 at 4:01

GoogleCodeExporter commented 9 years ago 
Based on this:

"from what I heard, 1.4 didn't work on any x64 because of a signed cert issue. 
try 1.4.1 which is available in the downloads"

I had assumed this had changed in 1.4.1 and it had signed drivers.

Original comment by robdewhi...@gmail.com on 26 Nov 2013 at 7:21

GoogleCodeExporter commented 9 years ago 
1.4.1 has signed drivers for acquisition purposes which should work with no 
problem. (you can see the driver load and retrieve the physical memory map in 
your output above so it works for you.). 

However the drivers with write support are self signed so will not load on a 
normal system - this is good! being able to write to arbitrary memory locations 
from userspace is a huge vulnerability. I released the driver with write 
support because its a good learning tool and you can use it to test several 
interesting rootkit hiding techniques easily. See this workshop presentation 
for example:

http://bit.ly/OSDFC_Memory_Workshop

Original comment by scude...@gmail.com on 26 Nov 2013 at 7:47