timhir
commented
4 years ago The server not requesting the driver to be unloaded is an oversight on my part (the Winpmem plugin on the client already implements an uninstall method that unloads the driver). We will fix this.
About the reconstruction of minidumps: my experience is that if you remove the Rekall cache (~/.rekall_cache) you have a better chance of getting a working minidump. Please try it out and let us know whether that helps :). We might disable the whole Rekall cache for the next release.
If you have a system for which Physmem2profit never generates a working minidump and you’d like us to troubleshoot the minidump generation, the following items are greatly appreciated: full dump of the physical memory, a minidump generated with procdump or similar, and the problematic minidump generated by Physmem2profit.
laxa
Hello and thanks for the great tool. I could use it successfully. But, in the current state, there is no option to unload the driver after the dump is done, I think it would be a great feature to unsure a target can be quickly cleaned.
On a side note, the reconstruction of a minidump by Rekall seems rather unstable as many dumps performed on various versions of Windows 10 were not parsable by mimikatz or even pypykatz. But, doing multiple dumps on the same target can yield success from the tests have performed.