search

Velocidex / WinPmem

The multi-platform memory acquisition tool.
Apache License 2.0
695 stars 102 forks source link

windows.memory.acquisition not working #48

Closed sgtrivas closed 1 year ago

sgtrivas commented 1 year ago

running 0.6.7 server on Ubuntu 20.04 running 0.6.7 client on Windows 10 both images are part of DetectionLabELK, which I am using for testing and training. I am trying to use Velociraptors Windows.Memory.Aquisition and I get this error in the logs

2023-01-20T14:36:07Z   URL for winpmem_mini_x86.exe is at https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277 and has hash of dc6a82fc6cfda792d3182e07de10adbfba42bf336ef269dbc40732c4b2ae052c
2023-01-20T14:36:07Z   Fetching https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277

2023-01-20T14:36:10Z |   | http_client: Error Get "https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277": dial tcp 127.0.0.1:8000: connectex: No connection could be made because the target machine actively refused it. while fetching https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277

2023-01-20T14:36:10Z |   | downloaded hash of Get "https://localhost:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277": dial tcp 127.0.0.1:8000: connectex: No connection could be made because the target machine actively refused it.: Null, expected dc6a82fc6cfda792d3182e07de10adbfba42bf336ef269dbc40732c4b2ae052c

2023-01-20T14:36:10Z |   | Time 17: Windows.Memory.Acquisition: Sending response part 0 0 B (0 rows).

I know there is an override that can leverage the use of a downloaded copy of winpmem that can be uploaded for use, but I get this error: http_client: Downloading https://192.168.38.105:8000/public/051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277 into C:\Program Files\Velociraptor\Tools\tmp2433700015.exe <- server address

2023-01-20T14:30:38Z |   | downloaded hash of C:\Program Files\Velociraptor\Tools\tmp2433700015.exe: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, expected e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

2023-01-20T14:30:38Z |   | copy: Copying file from C:\Program Files\Velociraptor\Tools\tmp2433700015.exe into C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe

2023-01-20T14:30:38Z |   | tempfile: removing tempfile C:\Program Files\Velociraptor\Tools\tmp2433700015.exe

2023-01-20T14:30:38Z |   | Adding global destructor for C:\Program Files\Velociraptor\Tools\tmp3089897230.raw

2023-01-20T14:30:38Z |   | shell: Running external command [C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe C:\Program Files\Velociraptor\Tools\tmp3089897230.raw]

shell: Running external command [C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe C:\Program Files\Velociraptor\Tools\tmp3089897230.raw]

2023-01-20T14:30:38Z |   | shell: fork/exec C:\Program Files\Velociraptor\Tools\051cf7869543a0cee1f7d4b6cc76c73a0382cc097a5798fa6b74c68369140277.exe: %1 is not a valid Win32 application.

Any help will be appreciated.

scudette commented 1 year ago

This is a misconfiguration on the Velociraptor side - when creating the configuration with the initial wizard it asks for the public DNS name of the frontend. The default is "localhost" which is not accessible from a remote system so this is why the endpoint can not download the tool.

You can serve the tool on a public URL (e.g. an S3 bucket) or fix the URL in server's config file under Client.server_urls. You might need to refresh the tool definition by opening the tool setup screen and redownloading it.