search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.53k stars 1.7k forks source link

memory.dmp not created #2643

Open pharZyde opened 5 years ago

pharZyde commented 5 years ago

Hello,

My issue is:

Cuckoo's log files telling me that a memory dump has successfully been generated but it can not access them because they can not be found. Manually looking for them in the directory confirms that.

My Cuckoo version and operating system are:

Cuckoo: 2.0.6 Host: Ubuntu 18.04.1 LTS Guest: Win7 Ultimate, Service Pack 1, 32-bit

This can be reproduced by:

Those are my config files:

cuckoo.conf

memory_dump = yes

memory.conf

guest_profile = Win7SP1x86
delete_memdump = no

processing.conf

[memory]
enabled = yes
The log, error, files etc can be found at:

This is the output of the cuckoo.log:

INFO: Successfully generated memory dump for virtual machine with label Win7 to path /home/test/.cuckoo/storage/analyses/1/memory.dmp
[...]
ERROR: VM memory dump not found: to create VM memory dumps you have to enable memory_dump in cuckoo.conf!

Any kind of help is appreciated. It is my first time posting here but desperate times call for desperate measures. If you need any more information from me please let me know

Edit: Only memory dump of full machine is not being generated. If malware is injected in a new process then memory dump is generated as shown in the report.json

INFO: injected into process with pid 3844 and name 'iexplorer.exe'
INFO: memory dump of process with pid 3844 completed

and I can also find the 3844-1.dmp file in the directory

pharZyde commented 5 years ago

anyone has any ideas on how to solve this? I think I configured all config files correctly but although cuckoo log tells me that it successfully created the memory.dmp it is nowhere to find

pharZyde commented 5 years ago

just tested it with a WinXP machine as guest but same problem occurs

pharZyde commented 5 years ago

tested it with Win7 Professional x32 as guest, same problem. probalby an issue on the host... anyone has any idea on what to do?

pharZyde commented 5 years ago

problem is because I am using nested vm which is not directly supported by cuckoo

pharZyde commented 5 years ago

I changed my setup now: Cuckoo is running on a physical machine now (so no nested VM anymore) and I am using Win7 Ultimate x64 instead of x86 now. Apart from that, the whole settings, versions and configurations are exactly the same. But I still get the same error when trying to get a full memory dump... Can anybody help please? It is really important for me that memory dumps are working since that is a part of my project scope. Thanks

ameisehaufen commented 5 years ago

Same issue in Ubuntu 18.04 with Virtualbox 6.0.6/8, Volatility 2.6 and Win7SP1x64. Tried with a custom Vbox and with a normal one, same problem.

ameisehaufen commented 5 years ago

I found a solution in It is related to virtualbox.py script. if using VBoxManage debugvm win7vm dumpvmcore --filename=memory.dmp works, than it can be your problem.