Velocidex / WinPmem

The multi-platform memory acquisition tool.
Apache License 2.0
698 stars 102 forks source link

BSOD Errors #42

Closed NathanJepson closed 2 years ago

NathanJepson commented 2 years ago

I'm just making sure that this is a known issue. I've been trying to output a simple .raw dump. I've been getting some BSOD errors upon running the compiled executable--my compilation process I will describe below:

I've been compiling the WinPmem.sys and WinPmem.exe file using Visual Studio on Windows 10 64-bit with slight modifications. I've modified the 'winpmem.vcxproj' file in the 'kernel' folder so that the "Target Version" is Windows10 instead of Windows 7: image

The reason I did this is because Visual Studio was giving a "WindowsDriver.common.targets ... Windows 7 is not a supported OS" error.

Then, I modified the Treat wchar_t as Built-in Type in the Visual Studio settings so that there was implicit conversion from unsigned shorts to w_char. (See: https://docs.microsoft.com/en-us/cpp/build/reference/zc-wchar-t-wchar-t-is-native-type?view=msvc-170)

Then, I enabled the Unicode character set in Visual Studio settings so that there was implicit conversion of unsigned shorts and wchar_t to type "TCHAR" (as suggested here: https://social.msdn.microsoft.com/Forums/sqlserver/en-US/ab29659c-e7dd-4c29-9cff-d4629472a195/error-c2664-int-swscanfsconst-wchart-const-wchart-cannot-convert-argument-1-from?forum=vcgeneral).

I then downloaded spectre-mitigation tools, and specified a digest algorithm. I then compiled a "winpmem.sys" and a "winpmem.exe" file using the "build solution" option on both winpmem.vcxproj files (one in the 'kernel' folder and one in the 'executable' folder).

In terms of running the executable, I've tried running it both with and without the -d flag specified (and with or without the -0 flag). I'm always specifying an output file of type '.raw' instead of an .AFF4 type file.
No matter how I run it, I invariably get an immediate BSOD. Windows gives "SYSTEM_SERVICE_EXCEPTION" error each time I try this, and depending on whether I specify a driver or not, it will either fail on the winpmem.sys file, or a .tmp file. (As specified by the field "what failed").

It's worth noting that the mini-file (winpmem_mini_x64_rc2.exe, which, as you've said, is based on the 1.6 branch) has no problems running on my PC.

Additionally, it's also worth noting that I'm running VSM on my system, though I believe you guys already fixed that problem?: http://blog.rekall-forensic.com/2018/09/virtual-secure-mode-and-memory.html (And also: https://github.com/Velocidex/WinPmem/issues/9)

Let me know if I'm missing something super obvious, or if there is a fix in the works. Also let me know if you need more information and I'd be happy to supply it.

Thank you so much for your help!

vivianezw commented 2 years ago

Sounds rather weird. I can look into this, but not without at least a !analyze -v printout, or better, a dump file.

NathanJepson commented 2 years ago

It looks like your most recent merged commits appears to have fixed my issues. No BSOD--and I also wasn't having any issues with any test-signed drivers. (For a little bit, I was having issues with the test-signing even though I enabled it on my system (using "bcdedit /set testsigning on", etc.) This happened when I tried to run the x64 executable from the "winpmem_testsigned_15_okt_2020_2.zip" file which you posted in: https://github.com/Velocidex/WinPmem/issues/9).

I'm assuming the "xxx" symbols in the file output signify the areas protected by VSM.

Anyway, it looks like everything is working. Thanks again for all your help!

vivianezw commented 2 years ago

Glad it helped!