search

cisagov / CHIRP

A DFIR tool written in Python.
Creative Commons Zero v1.0 Universal
1.04k stars 90 forks source link

CHIRP crashing on Windows Server 2008 R2 (APPCRASH, KERNELBASE.dll) #4

Closed DASCert closed 3 years ago

DASCert commented 3 years ago

๐Ÿ› Summary

Program crashes with exception code c0000005

To reproduce

Steps to reproduce the behavior:

Download Chirp.zip from GitHub Extract all files to folder Run gci -recurse | unblock-file on extracted folder Run .\chirp.exe

Expected behavior

Expected program to run. Instead got "chirp.exe has stopped working" error.

Any helpful log output or screenshots

Problem signature: Problem Event Name: APPCRASH Application Name: chirp.exe Application Version: 0.0.0.0 Application Timestamp: 605393f8 Fault Module Name: KERNELBASE.dll Fault Module Version: 6.1.7601.24545 Fault Module Timestamp: 5e0eb6bd Exception Code: c0000005 Exception Offset: 0000000000001b44 OS Version: 6.1.7601.2.1.0.305.9 Locale ID: 3081 Additional Information 1: e040 Additional Information 2: e040c29db662d05b38ba55c14f951903 Additional Information 3: 97c4 Additional Information 4: 97c44f27c029744371d2d6b1e5a32dd4

Paste the results here:

Add any screenshots of the problem here.

DeemOnSecurity commented 3 years ago

Is this being ran on a VM with limited memory? That exception code is typically due to a memory overrun. It's possible we are using too much memory during processing since we don't do any smart buffering.

DASCert commented 3 years ago

It is being run on a physical server, Server 2008 R2, with 32 Gb of RAM.

DeemOnSecurity commented 3 years ago

Ok, we will be looking into this. We plan on merging branch v1.0.1 to main in a couple of minutes, when we do, we will fire off the action to re-compile the program.

If you don't mind attempting to run it again with the newly compiled version to close a couple potential possibilities it would be greatly appreciated.

DASCert commented 3 years ago

Happy to download an run again. Have run existing version on virtual 2012 server and had a different problem. Will open another issue

DeemOnSecurity commented 3 years ago

The release has been created. You can get some more detail by running with -l debug.

DASCert commented 3 years ago

Same result. Ran with "-l debug" but nothing created in executable's folder. Anywhere else to look? Found the WER file, if that helps.

Problem signature: Problem Event Name: APPCRASH Application Name: chirp.exe Application Version: 0.0.0.0 Application Timestamp: 60541808 Fault Module Name: KERNELBASE.dll Fault Module Version: 6.1.7601.24545 Fault Module Timestamp: 5e0eb6bd Exception Code: c0000005 Exception Offset: 0000000000001b44 OS Version: 6.1.7601.2.1.0.305.9 Locale ID: 3081 Additional Information 1: e040 Additional Information 2: e040c29db662d05b38ba55c14f951903 Additional Information 3: 97c4 Additional Information 4: 97c44f27c029744371d2d6b1e5a32dd4

AppCrash_chirp.exe_d0c3a61b86c945df1cc2d3f73943a5c4a7cafc79_4d4a8db7.zip

DeemOnSecurity commented 3 years ago

Same result. Ran with "-l debug" but nothing created in executable's folder. Anywhere else to look? Found the WER file, if that helps.

Problem signature: Problem Event Name: APPCRASH Application Name: chirp.exe Application Version: 0.0.0.0 Application Timestamp: 60541808 Fault Module Name: KERNELBASE.dll Fault Module Version: 6.1.7601.24545 Fault Module Timestamp: 5e0eb6bd Exception Code: c0000005 Exception Offset: 0000000000001b44 OS Version: 6.1.7601.2.1.0.305.9 Locale ID: 3081 Additional Information 1: e040 Additional Information 2: e040c29db662d05b38ba55c14f951903 Additional Information 3: 97c4 Additional Information 4: 97c44f27c029744371d2d6b1e5a32dd4

AppCrash_chirp.exe_d0c3a61b86c945df1cc2d3f73943a5c4a7cafc79_4d4a8db7.zip

This was very helpful. It appears this is potentially an issue with the KERNELBASE.dll located at C:\Windows\system32\KERNELBASE.dll. My research all points to needing to run the Windows System File Checker utility to determine if there is an issue with this dll.

Refs:

  1. https://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/appcrash-problem-with-kernelbasedll/5c511149-5f5b-e011-8dfc-68b599b31bf5
  2. https://answers.microsoft.com/en-us/windows/forum/windows_7-performance/appcrash-kernelbasedll/d4b9431e-1749-4302-91a4-a602f9ab2cbc
  3. https://social.technet.microsoft.com/Forums/en-US/c06fd84b-da44-445c-aa7c-272dc8f197fe/faulting-module-name-kernelbasedll?forum=winservergen
DASCert commented 3 years ago

SFC returns a clean result. Running the program continues to abend

image

DeemOnSecurity commented 3 years ago

Ok, I will continue to look into this but I apologize as I donโ€™t believe we will have a solution any time soon. The actual C code portion of our code is auto generated by Nuitka then compiled with mingw64 gcc, so I will have to troubleshoot what is happening with those.

DeemOnSecurity commented 3 years ago

A second user has reported an issue running CHIRP on Windows Server 2008 R2 with the same error. Possible cross compatibility issue?

DASCert commented 3 years ago

FYI ...

Recognising that I have never even looked at Python before today ...

I set up Python 3.8.8 on the 2008 R2 Server and after [long story goes here], ran chirp.py from CHIRP-1.0.2b interactively through the interpreter, to successful (if slow) completion.

Set up nuitka and mingw64 so that I could compile chirp.py

Compiled chirp

It ran to completion, too.

DeemOnSecurity commented 3 years ago

FYI ...

Recognising that I have never even looked at Python before today ...

I set up Python 3.8.8 on the 2008 R2 Server and after [long story goes here], ran chirp.py from CHIRP-1.0.2b interactively through the interpreter, to successful (if slow) completion.

Set up nuitka and mingw64 so that I could compile chirp.py

Compiled chirp

It ran to completion, too.

I just saw this comment, unsure of why I wasn't notified by email. So you reckon it's an issue of the python version compatibility with Windows 2008? I saw in my research that 3.9 (which we're compiling with) isn't compatible with Windows 7 .. which could mean issues with 2008

DASCert commented 3 years ago

Assumed you were just busy.

Yes, I was alerted that 3.9 was not compatible with Win7 when I opened the browser on the 2008R2 machine so I installed 3.8.8. Seems Win7/2008R2 are considered equivalent.

The question is whether it is Python or Nuitka or Mingw64 or the options used in the process

Python 3.8.8 installed Nuitka 0.6.13 and it looks like Nuitka pulled down MingW64 8.0.0-r5

My compile command was python -m nuitka --mingw64 --plugin-enable=multiprocessing chirp.py

I can give you the chirp.build folder, if that's any help.

DeemOnSecurity commented 3 years ago

@DASCert This bug should hopefully be fixed with #30, if you have the chance, would appreciate if you would test this on your side.

DeemOnSecurity commented 3 years ago

@DASCert Pinging again to see if you can test the resolution of this bug. Otherwise I will close this issue over the weekend.

DASCert commented 3 years ago

Sorry, Will. Two short weeks with Easter and significantly time poor at the moment.

Downloaded and tested 1.0.4 and 1.0.5 on two different 2008 R2 physical boxes.

Crashed on both. Sorry.

DeemOnSecurity commented 3 years ago

@DASCert Unfortunately this bug has me stumped and I may have to put it on the back-burner as I've tried all of the workarounds that I know of/have been able to find. Sorry I've been unable to resolve this for you.

DeemOnSecurity commented 3 years ago

FYI ...

Recognising that I have never even looked at Python before today ...

I set up Python 3.8.8 on the 2008 R2 Server and after [long story goes here], ran chirp.py from CHIRP-1.0.2b interactively through the interpreter, to successful (if slow) completion.

Set up nuitka and mingw64 so that I could compile chirp.py

Compiled chirp

It ran to completion, too.

Going to close this ticket with the official mitigation for this sort of crash being the above steps until a fix is found.