Closed JimmyTwoShoes closed 8 years ago
JimmyTwoShoes
commented
8 years ago Increased the amount of memory in dom0 to 4096 - no difference. Also changed line 131 of "./libvmi/driver/memory_cache.c" to be >, rather than >=, but now I get no output at all from the above win-guid command.
[root@drakvuf libvmi]# win-guid name win7x86sp1
[root@drakvuf libvmi]# sestatus
SELinux status: disabled
[root@drakvuf libvmi]#
tklengyel
commented
8 years ago Well, is the VM fully booted? If it is and it doesn't find the kernel you can get the debug info for it from the disk too using Rekall.
JimmyTwoShoes
commented
8 years ago Yes, VM is booted and logged in to the desktop. Will check how to use Rekall to get what you're asking.
tklengyel
commented
8 years ago The debug info is for you so you can build the Rekall profile for the VM. On Apr 29, 2016 21:43, "JimmyTwoShoes" notifications@github.com wrote:
Yes, VM is booted and logged in to the desktop. Will check how to use Rekall to get what you're asking.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/tklengyel/drakvuf/issues/139#issuecomment-215930969
JimmyTwoShoes
commented
8 years ago Awesome. Got it.
[root@drakvuf ~]# rekal -f /dev/vmstor/win7x86sp1 version_scan --name_regex krnl
Offset (P) GUID/Version PDB
-------------- --------------------------------- ------------------------------
0x0000bcb0859c 00625D7D36754CBEBA4533BA9A0F3FE22 ntkrnlmp.pdb
0x0000e8f9ed18 007C585343284401AAC26A971842D6CF2 dxgkrnl.pdb
0x000128b848c8 CD41E4A0B93E45C1B51C692937E297901 KrnlProv.pdb
[root@drakvuf ~]#Hmmm. New error. I'm going to go out on a limb and say there's something wrong with that paddr value.
[root@drakvuf tmp]# rekall fetch_pdb --pdb_filename ntkrnlmp.pdb --guid 00625D7D36754CBEBA4533BA9A0F3FE22
Trying to fetch http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/00625D7D36754CBEBA4533BA9A0F3FE22/ntkrnlmp.pd_
Extracting cabinet: /tmp/tmpbrg41J/ntkrnlmp.pd_
extracting ntkrnlmp.pdb
All done, no errors.
[root@drakvuf tmp]# rekall parse_pdb ntkrnlmp.pdb > win7x86sp1.json
[root@drakvuf tmp]# mv win7x86sp1.json /root
[root@drakvuf tmp]# cd
[root@drakvuf ~]# printf "win7x86sp1 { \n\
ostype = \"Windows\"; \n\
sysmap = \"/root/win7x86sp1.json\"; \n\
}" > /etc/libvmi.conf
[root@drakvuf ~]# process-list win7x86sp1
Process listing for VM win7x86sp1 (id=2)
VMI_ERROR: --requesting PA [0x7950547951000] beyond max physical address [0xff000000]
VMI_ERROR: paddr: 7950547950000, length 1000, vmi->max_physical_address ff000000
VMI_ERROR: create_new_entry failed
VMI_ERROR: --requesting PA [0x7950547951000] beyond max physical address [0xff000000]
VMI_ERROR: paddr: 7950547950000, length 1000, vmi->max_physical_address ff000000
VMI_ERROR: create_new_entry failed
Failed to find procname
[root@drakvuf ~]#You will need to enable the debug output of libvmi so we can get a better look at what where things go wrong. Also, please open an issue on the libvmi tracker for this. On Apr 30, 2016 00:00, "JimmyTwoShoes" notifications@github.com wrote:
Hmmm. New error. I'm going to go out on a limb and say there's something wrong with that paddr value.
[root@drakvuf tmp]# rekall fetch_pdb --pdbfilename ntkrnlmp.pdb --guid 00625D7D36754CBEBA4533BA9A0F3FE22 Trying to fetch http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/00625D7D36754CBEBA4533BA9A0F3FE22/ntkrnlmp.pd Extracting cabinet: /tmp/tmpbrg41J/ntkrnlmp.pd_ extracting ntkrnlmp.pdb
All done, no errors. [root@drakvuf tmp]# rekall parse_pdb ntkrnlmp.pdb > win7x86sp1.rekall.json [root@drakvuf tmp]# mv win7x86sp1.rekall.json /root [root@drakvuf tmp]# cd [root@drakvuf ~]# process-list win7x86sp1 Process listing for VM win7x86sp1 (id=2) VMI_ERROR: --requesting PA [0x7950547951000] beyond max physical address [0xff000000] VMI_ERROR: paddr: 7950547950000, length 1000, vmi->max_physical_address ff000000 VMI_ERROR: create_new_entry failed VMI_ERROR: --requesting PA [0x7950547951000] beyond max physical address [0xff000000] VMI_ERROR: paddr: 7950547950000, length 1000, vmi->max_physical_address ff000000 VMI_ERROR: create_new_entry failed Failed to find procname [root@drakvuf ~]#
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/tklengyel/drakvuf/issues/139#issuecomment-215940794
jeinstos
commented
8 years ago I'm having the same issues. @JimmyTwoShoes, were you able to find a solution?
jeinstos
commented
8 years ago As per @tklengyel suggestion, I've compiled libvmi in debug mode. This is the output of win-guid:
LibVMI Version 0.11.0 --found Xen LibVMI Mode 2 --completed driver init. --got name from id (3 --> windows7-i386) _set image_type = windows7-i386 _set hvm to true (HVM). --xen: setup live mode _set allocated_ram_size = bb84b000, max_physical_address = 0xff000000 _set pae = 1 _set pse = 1 _set lme = 0 _PAE paging _sanity checking cr3 = 0x0000000000185000 --succesfully completed architecture init. --MEMORY cache set 0x0 --xen_get_memory_pfn success on pfn=0x0 --PEPARSE: DOS header signature not found --PEPARSE: failed to validate a continuous PE header --MEMORY cache set 0x1000 --xen_get_memory_pfn success on pfn=0x1 --PEPARSE: DOS header signature not found --PEPARSE: failed to validate a continuous PE header --MEMORY cache set 0x2000 --xen_get_memory_pfn success on pfn=0x2 --PEPARSE: DOS header signature not found --PEPARSE: failed to validate a continuous PE header --MEMORY cache set 0x3000 --xen_get_memory_pfn success on pfn=0x3 --PEPARSE: DOS header signature not found --PEPARSE: failed to validate a continuous PE header --MEMORY cache set 0x4000 ... ... --xen_get_memory_pfn success on pfn=0xfeffd --PEPARSE: DOS header signature not found --PEPARSE: failed to validate a continuous PE header --MEMORY cache set 0xfeffe000 --xen_get_memory_pfn success on pfn=0xfeffe --PEPARSE: DOS header signature not found --PEPARSE: failed to validate a continuous PE header --MEMORY cache set 0xfefff000 --PEPARSE: failed to read a continuous PE header VMI_ERROR: --requesting PA [0xff000000] beyond max physical address [0xff000000] VMI_ERROR: paddr: fefff000, length 1000, vmi->max_physical_address ff000000 VMI_ERROR: create_new_entry failed
I've followed the installation instructions at http://drakvuf.com/. I will try creating a new VM and running the tool again. The VM I have been testing on is not an activated Windows OS.
jeinstos
commented
8 years ago @JimmyTwoShoes I got libvmi to work by doing the same thing you did the get the PDB file name and GUID. In your command you're looking for anything that matches the regex "krnl", but the file you need to look for is "ntkrpamp.pdb" (which doesn't match that regext). If you find the GUID for this file, libvmi should work as expected.
tklengyel
commented
8 years ago From the debug output nothing stands out as the source of the error other then it not finding the kernel in memory. It's a bit unusual but as I said you could also just read the PDB information out with Rekall from the kernel that you find on the disk of the VM (C:\Windows\System32\ntoskrnl.exe). The win-guid step is just a convenience, you can work around it.
jeinstos
commented
8 years ago @tklengyel: In the end I was not able to properly create a rekall profile from using the libvmi compiled from the drakvuf branch. I compiled and installed libvmi from the latest commit in master, generated the rekall profile, and then re-installed the drakvuf libvmi branch. The rekall profile generated works well with libvmi tools and DRAKVUF is working as expected.
@JimmyTwoShoes, you may want to generate the rekall profile like I did.
tklengyel
commented
8 years ago @jeinstos: good to know, the only difference right now with the drakvuf branch is the preliminary win10 support is merged in but I guess it needs some more work not to break on win7 ;)
JimmyTwoShoes
commented
8 years ago Using the correct kernel debug symbols (ntkrpamp.pdb), win-guid now works.
@jeinstos thanks!
JimmyTwoShoes
commented
8 years ago Process list on the other hand:
[root@drakvuf libvmi]# ./examples/process-list win7x86sp1
Process listing for VM win7x86sp1 (id=9)
[ 4] System (struct addr:8442eab0)
[ 240] smss.exe (struct addr:84ae18b8)
[ 320] csrss.exe (struct addr:84a91b78)
[ 356] csrss.exe (struct addr:84abd0d8)
[ 364] wininit.exe (struct addr:84ac8988)
[ 404] services.exe (struct addr:84bf8030)
[ 420] lsass.exe (struct addr:84bfd030)
[ 428] lsm.exe (struct addr:84bff760)
[ 528] svchost.exe (struct addr:84d371e8)
[ 604] svchost.exe (struct addr:84d21588)
[ 664] svchost.exe (struct addr:84d5f030)
[ 696] svchost.exe (struct addr:84d6c168)
[ 720] svchost.exe (struct addr:84d74030)
[ 824] svchost.exe (struct addr:84d94030)
[ 916] svchost.exe (struct addr:84dadb78)
[ 992] winlogon.exe (struct addr:84dba6d0)
[ 1108] spoolsv.exe (struct addr:84dea788)
[ 1144] svchost.exe (struct addr:84e0a1e8)
[ 1256] svchost.exe (struct addr:84e41030)
[ 1736] dwm.exe (struct addr:84e77d40)
[ 1764] explorer.exe (struct addr:84fa6900)
[ 1792] taskhost.exe (struct addr:84fb22e0)
[ 2024] SearchIndexer. (struct addr:84e33d40)
[ 772] taskmgr.exe (struct addr:8502ed40)
[ 1120] sppsvc.exe (struct addr:84fc7a58)
[ 1988] svchost.exe (struct addr:84aeb030)
[ 1404] mmc.exe (struct addr:845ff3d0)
[-2065135200] (struct addr:82745e60)
[root@drakvuf libvmi]# cd ~/drakvuf
[root@drakvuf drakvuf]# ./src/drakvuf -r /root/win7x86sp1.json -d win7x86sp1 -e /root/9d48.exe
DRAKVUF v0.3-e545d5d
VMI_ERROR: Could not find EPROCESS struct for pid = -1.
Process startup failed
g_mutex_clear() called on uninitialised or locked mutex
Aborted
[root@drakvuf drakvuf]#Error occurs with both upstream libvmi and drakvuf/libvmi. Still playing with this issue - I fully expect to discover I'm doing something silly...
tklengyel
commented
8 years ago You can't start a binary that is not actually on the disk of the VM and you need to specify the pid (-i) you want to hijack to start it.
tklengyel
commented
8 years ago So since the win-guid error has been solved I'll close this issue for now. Feel free to open another issur if you are having problems.
Following the install guide, but have run into this error: