search

Velocidex / WinPmem

The multi-platform memory acquisition tool.
Apache License 2.0
678 stars 102 forks source link

WinPmem produces empty RAW Dump #55

Open Cameron-Boyd opened 3 months ago

Cameron-Boyd commented 3 months ago

Hello guys, when using the 64-bit Executable from the releases on a device it loads and unloads the driver. Then straight away creates a RAW Dump with the Size of 0 Bytes and exits. The cmd.exe is running elevated. Is there a good reason for this or is this a bug?

This is the STDOUT:

C:\Users\TestAccount\Downloads>.\winpmem_mini_x64_rc2.exe dumper.raw
WinPmem64
Extracting driver to C:\Users\WDAGUtilityAccount\AppData\Local\Temp\pme65F.tmp
Driver Unloaded.
Deleting C:\Users\WDAGUtilityAccount\AppData\Local\Temp\pme65F.tmp
Driver Unloaded.

C:\Users\TestAccount\Downloads>
scudette commented 3 months ago

Can you please try the binary built in https://github.com/Velocidex/WinPmem/issues/53 I found it works a bit better than the release

wallrik commented 2 months ago

It's extracting under WDAGUtilityAccount (Windows Defender Application Guard). Could it be blocked, perhaps?

vivianezw commented 2 months ago

@wallrik Hey, a damn good observation, I didn't notice until you mentioned it. Odd.

Hm. The print verbosity of the usermode app could really be better and ought to be worked over.