Blank Result in AnalyzeClientMemory

hkshin98 commented 8 years ago

I started 'AnalyzeClientMemory' flow with 'pslist' plugin.

Client OS : Windows7 or Windows10
Rekall Version : 1.5.2.rc1

But, there is no result.

pslist PPID Thds Hnds Sess Wow64 Start Exit

I want to know why no result.

grrrrrrrrr commented 8 years ago

Can you run the flow with debug logging enabled? The logs should tell you what went wrong.

hkshin98 commented 8 years ago

Yes.

I ran the flow with debugging enabled.

The execution results in grr admin UI proceed as follows.

1. Windows7 a. context

current_state : End
output : None
output_plugins_states : []
outstanding_requests : 0
state : TERMINATED
status : DEBUG:rekall.2:Listed 0 processes using Handles

b. rekall_context_messages

t : [{u'cname': u'_EPROCESS', u'type': u'_EPROCESS'}, {u'width': 6, u'align': u'r', u'cname': u'ppid', u'name': u'PPID'}, {u'width': 6, u'align': u'r', u'cname': u'thread_count', u'name': u'Thds'}, {u'width': 8, u'align': u'r', u'cname': u'handle_count', u'name': u'Hnds'}, {u'width': 6, u'align': u'r', u'cname': u'session_id', u'name': u'Sess'}, {u'width': 6, u'cname': u'wow64', u'name': u'Wow64'}, {u'width': 24, u'cname': u'process_create_time', u'name': u'Start'}, {u'width': 24, u'cname': u'process_exit_time', u'name': u'Exit'}]

c. Profiles

Name : inventory
Version : v1.0

2. Windows 10 a. context

current_state : End
output : None
output_plugins_states : []
outstanding_requests : 0
state : TERMINATED
status : DEBUG:rekall.1:Listed 0 processes using Handles

b. rekall_context_messages

t : [{u'cname': u'_EPROCESS', u'type': u'_EPROCESS'}, {u'width': 6, u'align': u'r', u'cname': u'ppid', u'name': u'PPID'}, {u'width': 6, u'align': u'r', u'cname': u'thread_count', u'name': u'Thds'}, {u'width': 8, u'align': u'r', u'cname': u'handle_count', u'name': u'Hnds'}, {u'width': 6, u'align': u'r', u'cname': u'session_id', u'name': u'Sess'}, {u'width': 6, u'cname': u'wow64', u'name': u'Wow64'}, {u'width': 24, u'cname': u'process_create_time', u'name': u'Start'}, {u'width': 24, u'cname': u'process_exit_time', u'name': u'Exit'}]

c. Profiles

Name : inventory
Version : v1.0

I want to know what the problem is.

hkshin98 commented 8 years ago

and I ran the flow with debugging enabled. (in client, grr.exe --config grr.exe.yaml --verbose)

1. Windows7 : grr.log

2016-08-28 22:30:25,933:DEBUG:rekall.1:Logging level set to 10 2016-08-28 22:30:25,934:DEBUG:rekall.1:Unable to open .\pmem: (2, 'CreateFile', '\xc1\xf6\xc1\xa4\xb5\xc8 \xc6\xc4\xc0\xcf\xc0\xbb \xc3\xa3\xc0\xbb \xbc\xf6 \xbe\xf8\xbd\xc0\xb4\xcf\xb4\xd9.') 2016-08-28 22:30:25,946:DEBUG:rekall.1:Loading driver from c:\windows\system32\grr\3.1.0.2\components\grr-rekall\0.4\resources\WinPmem\winpmem_x86.sys 2016-08-28 22:30:25,947:DEBUG:rekall.1:Removing service pmem 2016-08-28 22:30:25,947:DEBUG:rekall.1:pmem service does not exist. 2016-08-28 22:30:25,953:DEBUG:rekall.1:Created service pmem 2016-08-28 22:30:25,960:DEBUG:rekall.1:Running plugin (pslist) with args (()) kwargs ({}) 2016-08-28 22:30:25,963:DEBUG:rekall.1:Will detect profile using these Detectors: linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux 2016-08-28 22:30:25,963:DEBUG:rekall.1:Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\Linux\index.gz 2016-08-28 22:30:26,026:INFO:rekall.1:Loaded profile Linux/index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.0639998912811 sec) 2016-08-28 22:30:26,028:DEBUG:rekall.1:Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\eprocess_index.gz 2016-08-28 22:30:26,065:INFO:rekall.1:Loaded profile nt/eprocess_index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.0369999408722 sec) 2016-08-28 22:30:26,065:DEBUG:rekall.1:Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\index.gz 2016-08-28 22:30:26,109:INFO:rekall.1:Loaded profile nt/index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.0439999103546 sec) 2016-08-28 22:30:26,111:DEBUG:rekall.1:Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\OSX\index.gz 2016-08-28 22:30:26,111:INFO:rekall.1:Loaded profile OSX/index from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.00100016593933 sec) 2016-08-28 22:30:26,111:DEBUG:rekall.1:Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\pe.gz 2016-08-28 22:30:26,118:INFO:root:aff4:/C.677221b2a5c23550: Sending 0(634), Received 0 messages in 0.0090000629425 sec. Sleeping for 0.23 2016-08-28 22:30:26,128:INFO:rekall.1:Loaded profile pe from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.0160000324249 sec) 2016-08-28 22:30:26,128:DEBUG:rekall.1:Trying method pe, offset 0 2016-08-28 22:30:26,131:DEBUG:rekall.1:Trying method windows_kernel_file, offset 0 2016-08-28 22:30:26,144:INFO:rekall.1:Found RSDS in kernel image: 672AC57A1FD54704B80AE9348FE3F92B2 (ntkrnlmp.pdb) 2016-08-28 22:30:26,148:DEBUG:rekall.1:Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\GUID\672AC57A1FD54704B80AE9348FE3F92B2.gz 2016-08-28 22:30:26,365:INFO:root:aff4:/C.677221b2a5c23550: Sending 0(634), Received 0 messages in 0.00500011444092 sec. Sleeping for 0.2645 2016-08-28 22:30:26,390:DEBUG:rekall.1:Opened local file C:\Windows\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\undocumented.gz 2016-08-28 22:30:26,394:INFO:rekall.1:Loaded profile nt/undocumented from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.00399994850159 sec) 2016-08-28 22:30:26,513:INFO:rekall.1:Loaded profile nt/GUID/672AC57A1FD54704B80AE9348FE3F92B2 from Local Cache Directory:C:\Windows\System32\GRR\3.1.0.2\rekall_profiles (in 0.365999937057 sec) 2016-08-28 22:30:26,539:INFO:rekall.1:Detected ntkrnlmp.pdb with GUID 672AC57A1FD54704B80AE9348FE3F92B2 2016-08-28 22:30:26,540:INFO:rekall.1:Detection method windows_kernel_file yielded profile <I386 profile nt/GUID/672AC57A1FD54704B80AE9348FE3F92B2 (Nt)> 2016-08-28 22:30:26,549:DEBUG:rekall.1:Listed 0 processes using PsActiveProcessHead 2016-08-28 22:30:26,549:DEBUG:rekall.1:Listed 0 processes using CSRSS 2016-08-28 22:30:26,549:DEBUG:rekall.1:Listed 0 processes using PspCidTable 2016-08-28 22:30:26,549:DEBUG:rekall.1:Listed 0 processes using Sessions 2016-08-28 22:30:26,552:DEBUG:rekall.1:Listed 0 processes using Handles 2016-08-28 22:30:26,552:DEBUG:rekall.1:Removing service pmem 2016-08-28 22:30:26,552:DEBUG:rekall.1:Stopping service: pmem 2016-08-28 22:30:26,555:DEBUG:rekall.1:Deleting service: pmem

2. Windows10 : grr.log 2016-08-28 22:36:19,926:DEBUG:rekall.1:Logging level set to 10 2016-08-28 22:36:19,927:DEBUG:rekall.1:Unable to open .\pmem: (2, 'CreateFile', '\xc1\xf6\xc1\xa4\xb5\xc8 \xc6\xc4\xc0\xcf\xc0\xbb \xc3\xa3\xc0\xbb \xbc\xf6 \xbe\xf8\xbd\xc0\xb4\xcf\xb4\xd9.') 2016-08-28 22:36:19,937:DEBUG:rekall.1:Loading driver from c:\windows\system32\grr\3.1.0.2\components\grr-rekall\0.4\resources\WinPmem\winpmem_x64.sys 2016-08-28 22:36:19,937:DEBUG:rekall.1:Removing service pmem 2016-08-28 22:36:19,937:DEBUG:rekall.1:pmem service does not exist. 2016-08-28 22:36:19,940:DEBUG:rekall.1:Created service pmem 2016-08-28 22:36:20,033:INFO:root:aff4:/C.e9c62e8753d75c31: Sending 0(634), Received 0 messages in 0.00799989700317 sec. Sleeping for 0.23 2016-08-28 22:36:20,038:DEBUG:rekall.1:Running plugin (pslist) with args (()) kwargs ({}) 2016-08-28 22:36:20,039:DEBUG:rekall.1:Will detect profile using these Detectors: linux_index,nt_index,osx,pe,windows_kernel_file,rsds,ntfs,linux 2016-08-28 22:36:20,040:DEBUG:rekall.1:Opened local file C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles\v1.0\Linux\index.gz 2016-08-28 22:36:20,049:INFO:rekall.1:Loaded profile Linux/index from Local Cache Directory:C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles (in 0.00999999046326 sec) 2016-08-28 22:36:20,052:DEBUG:rekall.1:Opened local file C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\eprocess_index.gz 2016-08-28 22:36:20,079:INFO:rekall.1:Loaded profile nt/eprocess_index from Local Cache Directory:C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles (in 0.0289998054504 sec) 2016-08-28 22:36:20,082:DEBUG:rekall.1:Opened local file C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles\v1.0\nt\index.gz 2016-08-28 22:36:20,125:INFO:rekall.1:Loaded profile nt/index from Local Cache Directory:C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles (in 0.0439999103546 sec) 2016-08-28 22:36:20,128:DEBUG:rekall.1:Opened local file C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles\v1.0\OSX\index.gz 2016-08-28 22:36:20,128:INFO:rekall.1:Loaded profile OSX/index from Local Cache Directory:C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles (in 0.0019998550415 sec) 2016-08-28 22:36:20,131:DEBUG:rekall.1:Opened local file C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles\v1.0\pe.gz 2016-08-28 22:36:20,142:INFO:rekall.1:Loaded profile pe from Local Cache Directory:C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles (in 0.0119998455048 sec) 2016-08-28 22:36:20,144:DEBUG:rekall.1:Trying method pe, offset 0 2016-08-28 22:36:20,148:DEBUG:rekall.1:Trying method windows_kernel_file, offset 0 2016-08-28 22:36:20,164:INFO:rekall.1:Found RSDS in kernel image: 43C9E232FA9B447A9C08E408045BDD111 (ntkrnlmp.pdb) 2016-08-28 22:36:20,167:DEBUG:rekall.1:Skipped profile nt/GUID/43C9E232FA9B447A9C08E408045BDD111 from None (Not in inventory) 2016-08-28 22:36:20,167:DEBUG:rekall.1:Trying method rsds, offset 0 2016-08-28 22:36:20,173:DEBUG:rekall.1:Trying method linux_index, offset 0 2016-08-28 22:36:20,173:DEBUG:rekall.1:LinuxIndexDetector:DetectFromHit(0) = None 2016-08-28 22:36:20,174:DEBUG:rekall.1:Trying method nt_index, offset 0 2016-08-28 22:36:20,187:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x56b380+0xfffff80334a10000=0xfffff80334f7b380 ('KernelSpace') 2016-08-28 22:36:20,187:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x6fb1c8+0xfffff80334a10000=0xfffff8033510b1c8 ('ZwQueryInformationFile') 2016-08-28 22:36:20,187:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x6f7e70+0xfffff80334a10000=0xfffff80335107e70 ('IRP_MN_QUERY_DEVICE_TEXT') 2016-08-28 22:36:20,188:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x6fa038+0xfffff80334a10000=0xfffff8033510a038 ('ExAllocatePoolWithQuotaTag') 2016-08-28 22:36:20,188:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x3dcc08+0xfffff80334a10000=0xfffff80334decc08 ('V\x00e\x00n\x00d\x00o\x00r\x00I\x00d\x00') 2016-08-28 22:36:20,188:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x3dcba0+0xfffff80334a10000=0xfffff80334decba0 ('~\x00M\x00H\x00z\x00') 2016-08-28 22:36:20,188:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x4cbaaf+0xfffff80334a10000=0xfffff80334edbaaf ('\xcc') 2016-08-28 22:36:20,190:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x15030f+0xfffff80334a10000=0xfffff80334b6030f ('\x90') 2016-08-28 22:36:20,190:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x3496f+0xfffff80334a10000=0xfffff80334a4496f ('\xcc') 2016-08-28 22:36:20,190:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x65934f+0xfffff80334a10000=0xfffff8033506934f ('\xcc') 2016-08-28 22:36:20,190:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matched offset 0x601fe7+0xfffff80334a10000=0xfffff80335011fe7 ('\xcc') 2016-08-28 22:36:20,190:DEBUG:rekall.1:nt/GUID/DD08DD42692B43F199A079D60E79D2171 matches 11/13 comparison points 2016-08-28 22:36:20,194:DEBUG:rekall.1:nt/GUID/E9FBE18D6BAD422FACE56D255A38BED41 matched offset 0x16dd9+0xfffff80334a10000=0xfffff80334a26dd9 ('\xcc') 2016-08-28 22:36:20,194:DEBUG:rekall.1:nt/GUID/E9FBE18D6BAD422FACE56D255A38BED41 matches 1/13 comparison points 2016-08-28 22:36:20,204:DEBUG:rekall.1:nt/GUID/A2949749AEBC46D6AAEC1251B7E51F881 matched offset 0xd7c6f+0xfffff80334a10000=0xfffff80334ae7c6f ('\xcc') 2016-08-28 22:36:20,204:DEBUG:rekall.1:nt/GUID/A2949749AEBC46D6AAEC1251B7E51F881 matches 1/12 comparison points 2016-08-28 22:36:20,206:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x56b380+0xfffff80334a10000=0xfffff80334f7b380 ('KernelSpace') 2016-08-28 22:36:20,206:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x6fb1c8+0xfffff80334a10000=0xfffff8033510b1c8 ('ZwQueryInformationFile') 2016-08-28 22:36:20,206:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x6f7e70+0xfffff80334a10000=0xfffff80335107e70 ('IRP_MN_QUERY_DEVICE_TEXT') 2016-08-28 22:36:20,206:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x6fa038+0xfffff80334a10000=0xfffff8033510a038 ('ExAllocatePoolWithQuotaTag') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x3dcc08+0xfffff80334a10000=0xfffff80334decc08 ('V\x00e\x00n\x00d\x00o\x00r\x00I\x00d\x00') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x3dcba0+0xfffff80334a10000=0xfffff80334decba0 ('~\x00M\x00H\x00z\x00') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x4cbaaf+0xfffff80334a10000=0xfffff80334edbaaf ('\xcc') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x15030f+0xfffff80334a10000=0xfffff80334b6030f ('\x90') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x3496f+0xfffff80334a10000=0xfffff80334a4496f ('\xcc') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x65934f+0xfffff80334a10000=0xfffff8033506934f ('\xcc') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matched offset 0x601fe7+0xfffff80334a10000=0xfffff80335011fe7 ('\xcc') 2016-08-28 22:36:20,207:DEBUG:rekall.1:nt/GUID/30FDFCCC3E7442DA8FDEA00806980D7D1 matches 11/13 comparison points 2016-08-28 22:36:20,223:DEBUG:rekall.1:nt/GUID/A3930799CDF74A3CA818CCF481C59BAB2 matched offset 0x23a09+0xfffff80334a10000=0xfffff80334a33a09 ('\xcc') 2016-08-28 22:36:20,223:DEBUG:rekall.1:nt/GUID/A3930799CDF74A3CA818CCF481C59BAB2 matches 1/12 comparison points 2016-08-28 22:36:20,256:DEBUG:rekall.1:nt/GUID/37AEA986314C4921ACCFC606BD6FC77C2 matched offset 0x1d4ff+0xfffff80334a10000=0xfffff80334a2d4ff ('\xcc') 2016-08-28 22:36:20,256:DEBUG:rekall.1:nt/GUID/37AEA986314C4921ACCFC606BD6FC77C2 matches 1/13 comparison points 2016-08-28 22:36:20,267:DEBUG:rekall.1:nt/GUID/14AA8D2D40874F7F81D193C7A194CAFC2 matched offset 0x57399f+0xfffff80334a10000=0xfffff80334f8399f ('\xcc') 2016-08-28 22:36:20,267:DEBUG:rekall.1:nt/GUID/14AA8D2D40874F7F81D193C7A194CAFC2 matches 1/12 comparison points 2016-08-28 22:36:20,269:DEBUG:rekall.1:nt/GUID/44C6B918C126440083600BDD67F31BF82 matched offset 0x162e4+0xfffff80334a10000=0xfffff80334a262e4 ('\xcc') 2016-08-28 22:36:20,269:DEBUG:rekall.1:nt/GUID/44C6B918C126440083600BDD67F31BF82 matches 1/13 comparison points 2016-08-28 22:36:20,273:INFO:root:aff4:/C.e9c62e8753d75c31: Sending 0(634), Received 0 messages in 0.00600004196167 sec. Sleeping for 0.2645 2016-08-28 22:36:20,279:DEBUG:rekall.1:nt/GUID/B4C0FAD40C1E4DDFB79606DD8C72CC821 matched offset 0x52c3bf+0xfffff80334a10000=0xfffff80334f3c3bf ('\xcc') 2016-08-28 22:36:20,279:DEBUG:rekall.1:nt/GUID/B4C0FAD40C1E4DDFB79606DD8C72CC821 matches 1/13 comparison points 2016-08-28 22:36:20,280:DEBUG:rekall.1:nt/GUID/7133D0CDF8E14200A570852154FD4E0B2 matched offset 0x2ab12c+0xfffff80334a10000=0xfffff80334cbb12c ('\x90') 2016-08-28 22:36:20,280:DEBUG:rekall.1:nt/GUID/7133D0CDF8E14200A570852154FD4E0B2 matches 1/13 comparison points 2016-08-28 22:36:20,286:DEBUG:rekall.1:nt/GUID/2E3EB7E251D1436090572F267E0391761 matched offset 0xa9cf+0xfffff80334a10000=0xfffff80334a1a9cf ('\xcc') 2016-08-28 22:36:20,288:DEBUG:rekall.1:nt/GUID/2E3EB7E251D1436090572F267E0391761 matches 1/12 comparison points 2016-08-28 22:36:20,296:DEBUG:rekall.1:nt/GUID/4C448F35639F44F58FD37E4E16BBF5CE2 matched offset 0x1d4ff+0xfffff80334a10000=0xfffff80334a2d4ff ('\xcc') 2016-08-28 22:36:20,296:DEBUG:rekall.1:nt/GUID/4C448F35639F44F58FD37E4E16BBF5CE2 matches 1/13 comparison points 2016-08-28 22:36:20,299:DEBUG:rekall.1:nt/GUID/BA9AAFBE29C6498AA819E89CA9C0F0A21 matched offset 0x83e0f+0xfffff80334a10000=0xfffff80334a93e0f ('\x90') 2016-08-28 22:36:20,301:DEBUG:rekall.1:nt/GUID/BA9AAFBE29C6498AA819E89CA9C0F0A21 matches 1/11 comparison points 2016-08-28 22:36:20,302:DEBUG:rekall.1:nt/GUID/D6A45AA28E89439FAD70BF52349C306E1 matched offset 0x423c37+0xfffff80334a10000=0xfffff80334e33c37 ('\x90') 2016-08-28 22:36:20,302:DEBUG:rekall.1:nt/GUID/D6A45AA28E89439FAD70BF52349C306E1 matches 1/12 comparison points 2016-08-28 22:36:20,303:DEBUG:rekall.1:ntdll/GUID/9385FE43F2EB4DCAAEB1EF2D2CF13E272 matched offset 0x3389f+0xfffff80334a10000=0xfffff80334a4389f ('\xcc') 2016-08-28 22:36:20,305:DEBUG:rekall.1:ntdll/GUID/9385FE43F2EB4DCAAEB1EF2D2CF13E272 matches 1/2 comparison points 2016-08-28 22:36:20,306:DEBUG:rekall.1:nt/GUID/60FDE89969BA44DDBBB565B3FB6BD8892 matched offset 0x1ddd1+0xfffff80334a10000=0xfffff80334a2ddd1 ('\x90') 2016-08-28 22:36:20,308:DEBUG:rekall.1:nt/GUID/60FDE89969BA44DDBBB565B3FB6BD8892 matches 1/13 comparison points 2016-08-28 22:36:20,313:DEBUG:rekall.1:nt/GUID/23D97A5598EF44C986C6996A456FD3462 matched offset 0x11cb88+0xfffff80334a10000=0xfffff80334b2cb88 ('\xcc') 2016-08-28 22:36:20,315:DEBUG:rekall.1:nt/GUID/23D97A5598EF44C986C6996A456FD3462 matches 1/13 comparison points 2016-08-28 22:36:20,316:DEBUG:rekall.1:ntdll/GUID/15E465485283467A98B433C3FC8861952 matched offset 0x2e6b7+0xfffff80334a10000=0xfffff80334a3e6b7 ('\x90') 2016-08-28 22:36:20,316:DEBUG:rekall.1:ntdll/GUID/15E465485283467A98B433C3FC8861952 matches 1/2 comparison points 2016-08-28 22:36:20,328:DEBUG:rekall.1:nt/GUID/6DE07FC8872C47D5B22D20387B7F44275 matched offset 0x168ad+0xfffff80334a10000=0xfffff80334a268ad ('\xcc') 2016-08-28 22:36:20,328:DEBUG:rekall.1:nt/GUID/6DE07FC8872C47D5B22D20387B7F44275 matches 1/12 comparison points 2016-08-28 22:36:20,390:DEBUG:rekall.1:nt/GUID/324EF87A3B0C4DF9AA1D52A75BCAD5F71 matched offset 0x29fef+0xfffff80334a10000=0xfffff80334a39fef ('\xcc') 2016-08-28 22:36:20,390:DEBUG:rekall.1:nt/GUID/324EF87A3B0C4DF9AA1D52A75BCAD5F71 matches 1/12 comparison points 2016-08-28 22:36:20,397:DEBUG:rekall.1:nt/GUID/AA374084458B4152B98ABFE83698C6891 matched offset 0x167eb2+0xfffff80334a10000=0xfffff80334b77eb2 ('\xcc') 2016-08-28 22:36:20,397:DEBUG:rekall.1:nt/GUID/AA374084458B4152B98ABFE83698C6891 matches 1/12 comparison points 2016-08-28 22:36:20,411:DEBUG:rekall.1:nt/GUID/EA112C356BA3495F804505E56A685A692 matched offset 0x1048ef+0xfffff80334a10000=0xfffff80334b148ef ('\xcc') 2016-08-28 22:36:20,411:DEBUG:rekall.1:nt/GUID/EA112C356BA3495F804505E56A685A692 matches 1/12 comparison points 2016-08-28 22:36:20,417:DEBUG:rekall.1:nt/GUID/FBB8205F451A4C2883BDE7EB90B6E8502 matched offset 0x2cc4d5+0xfffff80334a10000=0xfffff80334cdc4d5 ('\xcc') 2016-08-28 22:36:20,417:DEBUG:rekall.1:nt/GUID/FBB8205F451A4C2883BDE7EB90B6E8502 matches 1/14 comparison points 2016-08-28 22:36:20,426:DEBUG:rekall.1:nt/GUID/3A86E64D51FB4FF3AF6E3E9A5340B5892 matched offset 0x17ba94+0xfffff80334a10000=0xfffff80334b8ba94 ('\xcc') 2016-08-28 22:36:20,426:DEBUG:rekall.1:nt/GUID/3A86E64D51FB4FF3AF6E3E9A5340B5892 matches 1/13 comparison points 2016-08-28 22:36:20,427:DEBUG:rekall.1:nt/GUID/A05D66A54BA4460A9FE4129D39AA02572 matched offset 0x3d267+0xfffff80334a10000=0xfffff80334a4d267 ('\xcc') 2016-08-28 22:36:20,427:DEBUG:rekall.1:nt/GUID/A05D66A54BA4460A9FE4129D39AA02572 matches 1/13 comparison points 2016-08-28 22:36:20,428:DEBUG:rekall.1:nt/GUID/EB6C6F5CEC9D457AAB82EC3264B6D2741 matched offset 0x11bc3d+0xfffff80334a10000=0xfffff80334b2bc3d ('\xcc') 2016-08-28 22:36:20,428:DEBUG:rekall.1:nt/GUID/EB6C6F5CEC9D457AAB82EC3264B6D2741 matches 1/12 comparison points 2016-08-28 22:36:20,438:DEBUG:rekall.1:nt/GUID/972684628A334055B5A042C4BC97AE002 matched offset 0x41720f+0xfffff80334a10000=0xfffff80334e2720f ('\xcc') 2016-08-28 22:36:20,438:DEBUG:rekall.1:nt/GUID/972684628A334055B5A042C4BC97AE002 matches 1/13 comparison points 2016-08-28 22:36:20,444:DEBUG:rekall.1:nt/GUID/0292FE5A651143BFA48A2B8936D760B41 matched offset 0x14877f+0xfffff80334a10000=0xfffff80334b5877f ('\x90') 2016-08-28 22:36:20,446:DEBUG:rekall.1:nt/GUID/0292FE5A651143BFA48A2B8936D760B41 matched offset 0x5df61b+0xfffff80334a10000=0xfffff80334fef61b ('\xcc') 2016-08-28 22:36:20,446:DEBUG:rekall.1:nt/GUID/0292FE5A651143BFA48A2B8936D760B41 matches 2/11 comparison points 2016-08-28 22:36:20,460:DEBUG:rekall.1:nt/GUID/D073BE1D65C749A7A0E083FF9C6F964F1 matched offset 0x29fef+0xfffff80334a10000=0xfffff80334a39fef ('\xcc') 2016-08-28 22:36:20,460:DEBUG:rekall.1:nt/GUID/D073BE1D65C749A7A0E083FF9C6F964F1 matches 1/13 comparison points 2016-08-28 22:36:20,463:DEBUG:rekall.1:nt/GUID/A5ADE2DF5622477EBD9A13F84724180F2 matched offset 0x188a8+0xfffff80334a10000=0xfffff80334a288a8 ('\xcc') 2016-08-28 22:36:20,463:DEBUG:rekall.1:nt/GUID/A5ADE2DF5622477EBD9A13F84724180F2 matches 1/14 comparison points 2016-08-28 22:36:20,473:DEBUG:rekall.1:nt/GUID/3F1ED87856944161A2F45ECB708EC21E1 matched offset 0xc7c97+0xfffff80334a10000=0xfffff80334ad7c97 ('\xcc') 2016-08-28 22:36:20,474:DEBUG:rekall.1:nt/GUID/3F1ED87856944161A2F45ECB708EC21E1 matches 1/12 comparison points 2016-08-28 22:36:20,476:INFO:root:Sending back client statistics to the server. 2016-08-28 22:36:20,496:DEBUG:rekall.1:nt/GUID/D34554E843614246BA81D7712A23D5632 matched offset 0x99c2a+0xfffff80334a10000=0xfffff80334aa9c2a ('\xcc') 2016-08-28 22:36:20,496:DEBUG:rekall.1:nt/GUID/D34554E843614246BA81D7712A23D5632 matches 1/13 comparison points 2016-08-28 22:36:20,500:DEBUG:rekall.1:nt/GUID/F6BC861CE846416496CA50EF71B5371F2 matched offset 0x1de0b+0xfffff80334a10000=0xfffff80334a2de0b ('\x90') 2016-08-28 22:36:20,500:DEBUG:rekall.1:nt/GUID/F6BC861CE846416496CA50EF71B5371F2 matches 1/14 comparison points 2016-08-28 22:36:20,509:DEBUG:rekall.1:nt/GUID/E39EBDC70D014E1BBCC9DCE5B19DBDEE1 matched offset 0x473d6b+0xfffff80334a10000=0xfffff80334e83d6b ('\xcc') 2016-08-28 22:36:20,509:DEBUG:rekall.1:nt/GUID/E39EBDC70D014E1BBCC9DCE5B19DBDEE1 matched offset 0x156e4f+0xfffff80334a10000=0xfffff80334b66e4f ('\xcc') 2016-08-28 22:36:20,510:DEBUG:rekall.1:nt/GUID/E39EBDC70D014E1BBCC9DCE5B19DBDEE1 matches 2/11 comparison points 2016-08-28 22:36:20,512:DEBUG:rekall.1:nt/GUID/FD42AC0A5CBA45E2BA68962398B4C74B2 matched offset 0x1983f+0xfffff80334a10000=0xfffff80334a2983f ('\x90') 2016-08-28 22:36:20,512:DEBUG:rekall.1:nt/GUID/FD42AC0A5CBA45E2BA68962398B4C74B2 matches 1/12 comparison points 2016-08-28 22:36:20,513:DEBUG:rekall.1:nt/GUID/E8F9147FB755462DBA7F151941E607D42 matched offset 0x56c9cf+0xfffff80334a10000=0xfffff80334f7c9cf ('\xcc') 2016-08-28 22:36:20,513:DEBUG:rekall.1:nt/GUID/E8F9147FB755462DBA7F151941E607D42 matches 1/12 comparison points 2016-08-28 22:36:20,516:DEBUG:rekall.1:nt/GUID/F28C5BC7A31842CBA05593244F5A569B2 matched offset 0x4870ef+0xfffff80334a10000=0xfffff80334e970ef ('\x90') 2016-08-28 22:36:20,516:DEBUG:rekall.1:nt/GUID/F28C5BC7A31842CBA05593244F5A569B2 matches 1/12 comparison points 2016-08-28 22:36:20,516:DEBUG:rekall.1:nt/GUID/0664EEAD62ED4A73AA992D792DFBA6642 matched offset 0xa1f1f+0xfffff80334a10000=0xfffff80334ab1f1f ('\x90') 2016-08-28 22:36:20,517:DEBUG:rekall.1:nt/GUID/0664EEAD62ED4A73AA992D792DFBA6642 matches 1/12 comparison points 2016-08-28 22:36:20,526:DEBUG:rekall.1:nt/GUID/672AC57A1FD54704B80AE9348FE3F92B2 matched offset 0x99c2a+0xfffff80334a10000=0xfffff80334aa9c2a ('\xcc') 2016-08-28 22:36:20,526:DEBUG:rekall.1:nt/GUID/672AC57A1FD54704B80AE9348FE3F92B2 matches 1/13 comparison points 2016-08-28 22:36:20,533:DEBUG:rekall.1:nt/GUID/1765D71166B54F599FD7781E6E6E0BB32 matched offset 0x3f748+0xfffff80334a10000=0xfffff80334a4f748 ('\xcc') 2016-08-28 22:36:20,533:DEBUG:rekall.1:nt/GUID/1765D71166B54F599FD7781E6E6E0BB32 matches 1/13 comparison points 2016-08-28 22:36:20,536:DEBUG:rekall.1:nt/GUID/5C2CB0B3194F47F3B3FD0C5879414DA92 matched offset 0x29dea4+0xfffff80334a10000=0xfffff80334cadea4 ('\x90') 2016-08-28 22:36:20,536:DEBUG:rekall.1:nt/GUID/5C2CB0B3194F47F3B3FD0C5879414DA92 matches 1/14 comparison points 2016-08-28 22:36:20,539:DEBUG:rekall.1:nt/GUID/5499F74A7FB1443180E6F71F43005AFE2 matched offset 0x52f3cf+0xfffff80334a10000=0xfffff80334f3f3cf ('\xcc') 2016-08-28 22:36:20,540:DEBUG:rekall.1:nt/GUID/5499F74A7FB1443180E6F71F43005AFE2 matches 1/12 comparison points 2016-08-28 22:36:20,546:DEBUG:rekall.1:nt/GUID/5296BAD9CD4C48AC8E4CB537CA45A7712 matched offset 0x1d4ff+0xfffff80334a10000=0xfffff80334a2d4ff ('\xcc') 2016-08-28 22:36:20,546:DEBUG:rekall.1:nt/GUID/5296BAD9CD4C48AC8E4CB537CA45A7712 matches 1/13 comparison points 2016-08-28 22:36:20,549:DEBUG:rekall.1:nt/GUID/55BC25189EFF4450871C16E6591A8A982 matched offset 0x2cc4d5+0xfffff80334a10000=0xfffff80334cdc4d5 ('\xcc') 2016-08-28 22:36:20,549:DEBUG:rekall.1:nt/GUID/55BC25189EFF4450871C16E6591A8A982 matches 1/14 comparison points 2016-08-28 22:36:20,555:INFO:root:aff4:/C.e9c62e8753d75c31: Sending 1(1339), Received 0 messages in 0.0120000839233 sec. Sleeping for 0.304175 2016-08-28 22:36:20,561:DEBUG:rekall.1:nt/GUID/2FC115B8D2ED471AA390FA2D65F9A6A82 matched offset 0x99c2a+0xfffff80334a10000=0xfffff80334aa9c2a ('\xcc') 2016-08-28 22:36:20,561:DEBUG:rekall.1:nt/GUID/2FC115B8D2ED471AA390FA2D65F9A6A82 matches 1/13 comparison points 2016-08-28 22:36:20,569:DEBUG:rekall.1:nt/GUID/79B501C6BD9E4689BB7701B02868F45F2 matched offset 0x1de0b+0xfffff80334a10000=0xfffff80334a2de0b ('\x90') 2016-08-28 22:36:20,569:DEBUG:rekall.1:nt/GUID/79B501C6BD9E4689BB7701B02868F45F2 matches 1/14 comparison points 2016-08-28 22:36:20,572:DEBUG:rekall.1:nt/GUID/1A603169B1B942A092B69787CCB7C4811 matched offset 0x435cef+0xfffff80334a10000=0xfffff80334e45cef ('\xcc') 2016-08-28 22:36:20,572:DEBUG:rekall.1:nt/GUID/1A603169B1B942A092B69787CCB7C4811 matches 1/11 comparison points 2016-08-28 22:36:20,578:DEBUG:rekall.1:nt/GUID/112679F166D6449394EFC30950DE9E032 matched offset 0x14af44+0xfffff80334a10000=0xfffff80334b5af44 ('\xcc') 2016-08-28 22:36:20,578:DEBUG:rekall.1:nt/GUID/112679F166D6449394EFC30950DE9E032 matches 1/13 comparison points 2016-08-28 22:36:20,582:DEBUG:rekall.1:nt/GUID/E2D36E08572C4C4EAE09B2484F63A3742 matched offset 0x1ae77+0xfffff80334a10000=0xfffff80334a2ae77 ('\xcc') 2016-08-28 22:36:20,582:DEBUG:rekall.1:nt/GUID/E2D36E08572C4C4EAE09B2484F63A3742 matches 1/12 comparison points 2016-08-28 22:36:20,585:DEBUG:rekall.1:ntdll/GUID/F5F390D56A604DB1A47B0E3D486DA9C02 matched offset 0x1cfef+0xfffff80334a10000=0xfffff80334a2cfef ('\xcc') 2016-08-28 22:36:20,585:DEBUG:rekall.1:ntdll/GUID/F5F390D56A604DB1A47B0E3D486DA9C02 matches 1/1 comparison points 2016-08-28 22:36:20,585:DEBUG:rekall.1:Opened local file C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles\v1.0\ntdll\GUID\F5F390D56A604DB1A47B0E3D486DA9C02.gz 2016-08-28 22:36:20,732:INFO:rekall.1:Loaded profile ntdll/GUID/F5F390D56A604DB1A47B0E3D486DA9C02 from Local Cache Directory:C:\WINDOWS\System32\GRR\3.1.0.2\rekall_profiles (in 0.146000146866 sec) 2016-08-28 22:36:20,733:INFO:rekall.1:Detection method nt_index yielded profile <I386 profile ntdll/GUID/F5F390D56A604DB1A47B0E3D486DA9C02 (Ntdll)> 2016-08-28 22:36:20,739:DEBUG:rekall.1:Listed 0 processes using PsActiveProcessHead 2016-08-28 22:36:20,739:DEBUG:rekall.1:Listed 0 processes using CSRSS 2016-08-28 22:36:20,739:DEBUG:rekall.1:Listed 0 processes using PspCidTable 2016-08-28 22:36:20,739:DEBUG:rekall.1:Listed 0 processes using Sessions 2016-08-28 22:36:20,739:DEBUG:rekall.1:Listed 0 processes using Handles 2016-08-28 22:36:20,740:DEBUG:rekall.1:Removing service pmem 2016-08-28 22:36:20,742:DEBUG:rekall.1:Stopping service: pmem 2016-08-28 22:36:20,828:DEBUG:rekall.1:Deleting service: pmem

I want to know what the problem is.

grrrrrrrrr commented 8 years ago

GRR seems to work fine here, Rekall does not find any processes though. @scudette do you want to have a look? This is likely a duplicate of https://github.com/google/grr/issues/427 where the korean windows version seems to be to problem.

scudette commented 8 years ago

You can see that Rekall thinks the profile it needs is 43C9E232FA9B447A9C08E408045BDD111 but this is not in the repository yet. When Rekall is run through GRR it is not allowed to contact the MS symbol server directly - instead it contacts GRR and GRR reads the repository for it, but GRR is not allowed to contact the MS symbol server directly either.

So when the profile is not yet in the repository Rekall + GRR wont work but Rekall on its own will.

I will push a new update to the profile repository shortly.

nywss commented 7 years ago

Sorry for reloading this post but it seems i've got the same issue here (using french windows images):

[INFO (2017-03-23 15:15:53 UTC) rekall.2] Found RSDS in kernel image: A3A6EBE530714799985ED058B2F0A0642 (ntkrnlmp.pdb) [DEBUG (2017-03-23 15:15:53 UTC) rekall.2] Skipped profile nt/GUID/A3A6EBE530714799985ED058B2F0A0642 from None (Not in inventory)

I never be able to get any results from rekall (using any pluggins):

DEBUG (2017-03-23 15:15:53 UTC) rekall.2] Listed 0 processes using PsActiveProcessHead [DEBUG (2017-03-23 15:15:53 UTC) rekall.2] Listed 0 processes using CSRSS [DEBUG (2017-03-23 15:15:53 UTC) rekall.2] Listed 0 processes using PspCidTable [DEBUG (2017-03-23 15:15:53 UTC) rekall.2] Listed 0 processes using Sessions [DEBUG (2017-03-23 15:15:53 UTC) rekall.2] Listed 0 processes using Handles

At least, i understand why it's not working but is there something i can do to fix this ?

Thank you for your time.

grrrrrrrrr commented 7 years ago

Have a look at https://github.com/google/grr-doc/blob/master/troubleshooting.adoc#missing-rekall-profiles

nywss commented 7 years ago

Done, thank you grrrrrrrrrr.

google / grr

Blank Result in AnalyzeClientMemory #425