Volatility Windows 10 issue - Possible due to lack of static KDBG option

[Joe860]

Thanks for creating an issue! But first: did you read our community guidelines? https://cuckoo.sh/docs/introduction/community.html

My issue is: Volatility crashes everytime when executing volatility plugins . I have no issues when i run vol.py manually after crash.

Example which works perfectly : vol.py --kdbg=0xf8019968a5cc --profile=Win10x64_17763 -f memory.dmp pslist

My Cuckoo version and operating system are: 2.0.7, Ubuntu 18.0.4.2

This can be reproduced by: Don't know which causes crashing. It crashes everytime.

The log, error, files etc can be found at:

2019-08-05 15:29:44,323 [cuckoo.core.plugins] ERROR: Failed to run the processing module "Memory" for task #47: Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/cuckoo/core/plugins.py", line 246, in process data = current.run() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 1118, in run return VolatilityManager(self.memory_path, osprofile).run() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 1039, in run results[plugin_name] = getattr(self.vol, plugin_name)() File "/usr/local/lib/python2.7/dist-packages/cuckoo/processing/memory.py", line 714, in ldrmodules for vad, address_space in vads: File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/overlays/windows/windows.py", line 576, in get_vads if not vad_filter(vad): File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/overlays/windows/windows.py", line 667, in _mapped_file_filter return vad.VadFlags.PrivateMemory == 0 and vad.ControlArea File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 751, in __getattr__ return self.m(attr) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/obj.py", line 733, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct _MMVAD_SHORT has no member ControlArea I have tried different profiles and basically everything which affects to volatility behaviour. If you could make it possible to have static KDBG option to volatility there would be no problems. I got one error where operation system was detected ad Windows 8 so there is somekind of issue with kdbg detection logic.

[doomedraven]

that is vol problem then not cuckoo, and win10 in cuckoo not officially supported

[Joe860]

that is vol problem then not cuckoo, and win10 in cuckoo not officially supported

no, same issue could be with windows7 as well or with any other windows os. (if you read my post). Adding static kdbg option with profile -selection would be perfect.

[doomedraven]

I read it, if you add static kdbg that will speedup volatility see prs i prd that many years ago, but if you specify correct profile you dont need it

El mié., 28 ago. 2019 12:59, Joe860 notifications@github.com escribió:

that is vol problem then not cuckoo, and win10 in cuckoo not officially supported

no, same issue could be with windows7 as well or with any other windows os. (if you read my post). Adding static kdbg option with profile -selection would be perfect.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/cuckoo/issues/2829?email_source=notifications&email_token=AAOFH34H4GZLUNCOSPUUVYLQGZLB3A5CNFSM4IKII3LKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5KXHMQ#issuecomment-525693874, or mute the thread https://github.com/notifications/unsubscribe-auth/AAOFH36XJGTRCFMC3ZUDU4DQGZLB3ANCNFSM4IKII3LA .

[Joe860]

I read it, if you add static kdbg that will speedup volatility see prs i prd that many years ago, but if you specify correct profile you dont need it El mié., 28 ago. 2019 12:59, Joe860 notifications@github.com escribió: …

Nope, there can be multiple kdbg structures within single "profile". See information regarding kdbg:

Command-Reference#kdbgscan

Andrea fortuna : KDBG structures

Again, everything works perfectly with Ubuntu running virtualbox with Windows 10 until kdbg assesment goes wrong. That is the only issue with Windows 10.

[doomedraven]

well then apply my PR and that will be solved, that won't be merged soon as it wosn't merged in years

[Joe860]

well then apply my PR and that will be solved, that won't be merged soon as it wosn't merged in years

Is there a workaround how to insert manually kdbg option to right configuration?

[doomedraven]

yes applying my pull request https://github.com/cuckoosandbox/cuckoo/pull/885, you don't need kdbgscan, but that was done bcz you creating baseline of vm and then it can be readed from there

[Joe860]

yes applying my pull request #885, you don't need kdbgscan, but that was done bcz you creating baseline of vm and then it can be readed from there

Thing is that you can't use kdbgscan and baseline necessary, since it might detect wrong kdbg structure and you can't read it from there. It is well explained in there: Andrea Fortuna

Caption:

` vol.py -f Win2K3SP2x64-6f1bedec.vmem --profile=Win2003SP2x64 kdbgscan Volatility Foundation Volatility Framework 2.4

---

Instantiating KDBG using: Kernel AS Win2003SP2x64 (5.2.3791 64bit) Offset (V) : 0xf80001172cb0 Offset (P) : 0x1172cb0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2003SP2x64 Version64 : 0xf80001172c70 (Major: 15, Minor: 3790) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : T? PsActiveProcessHead : 0xfffff800011947f0 (0 processes) PsLoadedModuleList : 0xfffff80001197ac0 (0 modules) KernelBase : 0xfffff80001000000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 2

---

Instantiating KDBG using: Kernel AS Win2003SP2x64 (5.2.3791 64bit) Offset (V) : 0xf80001175cf0 Offset (P) : 0x1175cf0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2003SP2x64 Version64 : 0xf80001175cb0 (Major: 15, Minor: 3790) Service Pack (CmNtCSDVersion) : 2 Build string (NtBuildLab) : 3790.srv03_sp2_rtm.070216-1710 PsActiveProcessHead : 0xfffff800011977f0 (37 processes) PsLoadedModuleList : 0xfffff8000119aae0 (116 modules) KernelBase : 0xfffff80001000000 (Matches MZ: True)

` kdbgcan could give you wrong profile , the first one. That is why you have to manually use like in my example i used :

--kdbg=0xf80001175cf0

to make example above to work.

[doomedraven]

well you can fix that kdbg in baseline just editing it, anyway go and edit config and add that to be loaded from conf and you will have it, is pretty simple

[Joe860]

But i can't run --baseline because of the original problem. Or am i missing point here?

[doomedraven]

which is original problem? why just not to modify config , config checked and load in VolatilityAPI as in my pr

[Joe860]

Ok, that was your point. I will test it.

[Joe860]

which is original problem? why just not to modify config , config checked and load in VolatilityAPI as in my pr

I tested your changes (replaced memory.py & edited memory.conf) and i got exactly same errors than before.

[doomedraven]

but you specified the kdbg option in there?

[Joe860]

but you specified the kdbg option in there?

No , so now you could submit it via CLI ?

[doomedraven]

did you generate baseline for vm? cuckoo --help maybe that depricated, what you would need to do is to load kdbg value from config, you have in my pr how to get vm name so you would need to introduce new field in config and add it or see how baseline is parsed and create that structure

[Joe860]

Ok , i'll test more. Baseline generation did not work before .

[Joe860]

did you generate baseline for vm? cuckoo --help maybe that depricated, what you would need to do is to load kdbg value from config, you have in my pr how to get vm name so you would need to introduce new field in config and add it or see how baseline is parsed and create that structure

baseline generation does not work anymore with editet memory.py and memory.conf.. So my original recommendation (static kdbg value) would fix these problems.

[doomedraven]

you can extend your hypervisor conf vbox.conf of kvm.conf of any which do you use adding that, i have that added in mines