Closed belveruski closed 1 year ago
It seems that the mounting of your memory dump is not working. You have to check Dokany, MemProcFS and your memory dump.
Please let me know how it works and if you see any failures/errors.
Thanks for you reply, after several tests:
.\MemProcFS.exe -device "C:\Users\user\Desktop\dump.raw" -vv -mount x
→ It's working, i can browse the share with no problems
Logs:
DEVICE OPEN: file
DEVICE: Successfully opened file: 'C:\Users\user\Desktop\dump.raw' as ELF Core Dump.
[INFODB] INIT: SUCCESS: va=0x8282e000
Initialized 32-bit Windows 6.1.7601
[PLUGIN] LOAD: built-in module: '\'
[PLUGIN] LOAD: built-in module: '\'
[PLUGIN] LOAD: built-in module: '\forensic'
[PLUGIN] LOAD: built-in module: '\files\handles'
[PLUGIN] LOAD: built-in module: '\files\vads'
[PLUGIN] LOAD: built-in module: '\files\modules'
[PLUGIN] LOAD: built-in module: '\phys2virt'
[PLUGIN] LOAD: built-in module: '\misc\phys2virt'
[PLUGIN] LOAD: built-in module: '\handles'
[PLUGIN] LOAD: built-in module: '\heaps'
[PLUGIN] LOAD: built-in module: '\modules'
[PLUGIN] LOAD: built-in module: '\memmap'
[PLUGIN] LOAD: built-in module: '\minidump'
[PLUGIN] LOAD: built-in module: '\threads'
[PLUGIN] LOAD: built-in module: '\token'
[PLUGIN] LOAD: built-in module: '\search'
[PLUGIN] LOAD: built-in module: '\misc\search'
[PLUGIN] LOAD: built-in module: '\virt2phys'
[PLUGIN] LOAD: built-in module: '\misc\bitlocker'
[PLUGIN] LOAD: built-in module: '\conf'
[PLUGIN] LOAD: built-in module: '\misc\view'
[PLUGIN] LOAD: built-in module: '\misc\web'
[PLUGIN] LOAD: built-in module: '\sys'
[PLUGIN] LOAD: built-in module: '\sys\drivers'
[PLUGIN] LOAD: built-in module: '\sys\memory'
[PLUGIN] LOAD: built-in module: '\sys\net'
[PLUGIN] LOAD: built-in module: '\sys\objects'
[PLUGIN] LOAD: built-in module: '\sys\pool'
[PLUGIN] LOAD: built-in module: '\sys\proc'
[PLUGIN] LOAD: built-in module: '\sys\services'
[PLUGIN] LOAD: built-in module: '\sys\users'
[PLUGIN] LOAD: built-in module: '\registry'
[PLUGIN] LOAD: built-in module: '\forensic\csv'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\handles'
[PLUGIN] LOAD: built-in module: '\forensic\json'
[PLUGIN] LOAD: built-in module: '\forensic\timeline'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\module'
[PLUGIN] LOAD: built-in module: '\forensic\ntfs'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\proc'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\registry'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\sys'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\thread'
[PLUGIN] LOAD: built-in module: '\sys\certificates'
[PLUGIN] LOAD: built-in module: '\sys\syscall'
[PLUGIN] LOAD: native module: '\vmemd'
VmmPyPlugin: Loaded 'plugins.pym_procstruct'
VmmPyPlugin: Loaded 'plugins.pym_pluginupdater'
VmmPyPluginLight: Register 'reg/net/bth_devices.txt'
VmmPyPluginLight: Register 'reg/net/tcpip_interfaces.txt'
VmmPyPluginLight: Register 'reg/usb/usb_devices.txt'
VmmPyPluginLight: Register 'reg/usb/usb_storage.txt'
VmmPyPluginLight: Register 'by-user/reg/user/wallpaper.txt'
[PLUGIN] LOAD: native module: 'py'
[PLUGIN] PluginManager: Python plugin loaded.
=============== MemProcFS - THE MEMORY PROCESS FILE SYSTEM ===============
.\MemProcFS.exe -device "C:\Users\user\Desktop\dump.raw" -forensic 4 -vv -mount x
→ Not working, during the init process, the mounted share kills itself.
Logs:
Initialized 32-bit Windows 6.1.7601
[PLUGIN] LOAD: built-in module: '\'
[PLUGIN] LOAD: built-in module: '\'
[PLUGIN] LOAD: built-in module: '\forensic'
[PLUGIN] LOAD: built-in module: '\files\handles'
[PLUGIN] LOAD: built-in module: '\files\vads'
[PLUGIN] LOAD: built-in module: '\files\modules'
[PLUGIN] LOAD: built-in module: '\phys2virt'
[PLUGIN] LOAD: built-in module: '\misc\phys2virt'
[PLUGIN] LOAD: built-in module: '\handles'
[PLUGIN] LOAD: built-in module: '\heaps'
[PLUGIN] LOAD: built-in module: '\modules'
[PLUGIN] LOAD: built-in module: '\memmap'
[PLUGIN] LOAD: built-in module: '\minidump'
[PLUGIN] LOAD: built-in module: '\threads'
[PLUGIN] LOAD: built-in module: '\token'
[PLUGIN] LOAD: built-in module: '\search'
[PLUGIN] LOAD: built-in module: '\misc\search'
[PLUGIN] LOAD: built-in module: '\virt2phys'
[PLUGIN] LOAD: built-in module: '\misc\bitlocker'
[PLUGIN] LOAD: built-in module: '\conf'
[PLUGIN] LOAD: built-in module: '\misc\view'
[PLUGIN] LOAD: built-in module: '\misc\web'
[PLUGIN] LOAD: built-in module: '\sys'
[PLUGIN] LOAD: built-in module: '\sys\drivers'
[PLUGIN] LOAD: built-in module: '\sys\memory'
[PLUGIN] LOAD: built-in module: '\sys\net'
[PLUGIN] LOAD: built-in module: '\sys\objects'
[PLUGIN] LOAD: built-in module: '\sys\pool'
[PLUGIN] LOAD: built-in module: '\sys\proc'
[PLUGIN] LOAD: built-in module: '\sys\services'
[PLUGIN] LOAD: built-in module: '\sys\users'
[PLUGIN] LOAD: built-in module: '\registry'
[PLUGIN] LOAD: built-in module: '\vm'
[PLUGIN] LOAD: built-in module: '\forensic\csv'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\handles'
[PLUGIN] LOAD: built-in module: '\forensic\json'
[PLUGIN] LOAD: built-in module: '\forensic\timeline'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\module'
[PLUGIN] LOAD: built-in module: '\forensic\ntfs'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\proc'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\registry'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\sys'
[PLUGIN] LOAD: built-in module: '\forensic\hidden\thread'
[PLUGIN] LOAD: built-in module: '\sys\certificates'
[PLUGIN] LOAD: built-in module: '\sys\syscall'
[PLUGIN] Load DLL: 'm_vmemd.dll'
[PLUGIN] LOAD: native module: '\vmemd'
[PLUGIN] PYTHON_PATH: C:\Python311\
[PYTHON] PythonPath: C:\Python311\;C:\Python311\python311.zip;C:\Python311\DLLs\;C:\Python311\Lib\;C:\Python311\Lib\site-packages\;C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\Tools\MemProcFS\;C:\Users\user\Desktop\MemProcFS-Analyzer\MemProcFS-Analyzer-v0.7\Tools\MemProcFS\pylib\
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00056000 Sig=00310046
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00057000 Sig=34004400
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00058000 Sig=42002d00
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=00059000 Sig=25007200
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005a000 Sig=6e006c00
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005b000 Sig=2e003200
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005d000 Sig=00000001
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005e000 Sig=6d006500
[REGISTRY] BAD HBIN HEADER: Hive=000000008c3b9008 HBin=0005f000 Sig=69004d00
[PLUGIN] LOAD: native module: 'py'
[PLUGIN] PluginManager: Python plugin loaded.
[FORENSIC] INIT START
[FORENSIC] INIT 0% time=0s
=============== MemProcFS - THE MEMORY PROCESS FILE SYSTEM ===============
[REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00461000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=007a9000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00b2e000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00c76000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00cc4000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00d6f000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00e0b000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00e8d000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00eb5000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00f39000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00f7e000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00f8c000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00fc2000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=00feb000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01040000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01041000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01099000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0118f000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01192000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=011e6000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0123f000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01290000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01297000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0145f000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=014c0000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0161e000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=016d5000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=0176d000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=017d4000 Sig=06040400 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01823000 Sig=06040200 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=018d7000 Sig=06040800 [REGISTRY] BAD HBIN HEADER: Hive=0000000091b729c8 HBin=01cd8000 Sig=06040600 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cb000 Sig=00310030 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cc000 Sig=1000000c [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cd000 Sig=00200065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000ce000 Sig=6e616840 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000cf000 Sig=006e0069 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d0000 Sig=76657250 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d1000 Sig=ffffffe0 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d2000 Sig=ffffffe0 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d3000 Sig=00680020 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d4000 Sig=003a0064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d5000 Sig=006f0053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d6000 Sig=006e0065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d7000 Sig=00640065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d8000 Sig=ffffffd8 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000d9000 Sig=006f0053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=000da000 Sig=646e6942 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00211000 Sig=00690074 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00212000 Sig=00720065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00213000 Sig=006f006c [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00214000 Sig=00720065 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00215000 Sig=006b0063 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00216000 Sig=0063006e [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00217000 Sig=006e0069 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00218000 Sig=00700050 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00219000 Sig=00500074 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021a000 Sig=0046006e [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021b000 Sig=00540064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021c000 Sig=00450053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0021d000 Sig=00730072 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060b000 Sig=00590045 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060c000 Sig=0044005f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060d000 Sig=00640064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060e000 Sig=004f004f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=0060f000 Sig=0051005f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00610000 Sig=002e005f [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00611000 Sig=0030002d [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00612000 Sig=00340030 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00613000 Sig=00720050 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00614000 Sig=0046006e [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00615000 Sig=00540064 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00616000 Sig=00450053 [REGISTRY] BAD HBIN HEADER: Hive=00000000a688a008 HBin=00617000 Sig=00730072 [FORENSIC] INIT 10% time=8s
@belveruski can you please try the most recent MemProcFS revision 5.2.3 from https://github.com/ufrisk/MemProcFS/releases/tag/v5.2
If the error persists are you able to share this memory dump file so that I may look into the issue and resolve it? If it's not possible I understand that as well. But if the error persists and you're able to share it please zip it, upload it and email me the link at pcileech@frizk.net
Many thanks in advance,
I have the same problem, and I have updated my MemProcFS to revision 5.2.3. if the argument with "-forensic #"('#' means 1/2/3/4), the drive X missed.
@belveruski and @mikal70 It would be very helpful if you would be able to share these memory dumps with @ufrisk. You can zip the memory dump, upload it, and email @ufrisk the download link via email. If it is needed I can also send you an upload link to my private cloud if needed. Thank you!
Your issue seems to be more specific. I am working on MemProcFS-Analyzer v0.8 and e.g. updated the OS Fingerprinting feature. For testing purposes I processed 15-20 different memory dumps (Win7 up to Win11 and also Windows Servers) without any issue.
Thank you so much. I have pass the file and some info to @ufrisk.
This should now be fixed in the latest MemProcFS release (v5.2.4). Can you both please confirm it's working now?
This should now be fixed in the latest MemProcFS release (v5.2.4). Can you both please confirm it's working now?
Thank you for your reactivity I will test it as soon as possible and I come back to you.
OK.Now it's working perfectly. Thank you!
It's working for me, thank you for your work !
Do you happen to know what you did to fix their issues? I am running into the same problem. However, I can't share the memory, unfortunately. It is using a profile Win10x64_19041 in Volatility if that helps at all.
@tacotuesday23 It was caused by a null pointer dereference in forensics mode processing in memprocfs.exe. It would be hard to find the culprit without having access to the memory dump causing it. Unless you're willing to do a debug build of MemProcFS and run it in Microsoft Visual Studio. Please let me know if this would be possible.
There may also be the possibility that I could put together a debug build for you to run to see if it will trigger the error with some additional diagnostics data. If you'd be willing to try it out.
Also it would be interesting if an older build of MemProcFS would cause this issue as well (I assume you use the one released last week). If that would be possible download the v5.4 release from https://github.com/ufrisk/MemProcFS/releases/tag/v5.4 unzip it and run memprocfs.exe -device c:\path\to\your\memdump -forensic 4 -mount x
I will try the older build when I have a chance next week. I do know that the memprocfs binary I was using worked prior but I wanted to try out the analyzer because I think this is awesome work. However, when I was running just the memprocfs I was running with "forensic 1" and not 4, so I have a few things to test out to see if I get a different result. Regardless, thank you for the help and the work that you have put into this project!
Hi, i have an error with the script during the drive creation.
Content of the log file:
Thanks in advance for help.