search

tklengyel / drakvuf

DRAKVUF Black-box Binary Analysis
https://drakvuf.com
Other
1.06k stars 253 forks source link

Win 10 1909 guest crashes when running drakvuf and any application #800

Closed chengsteven closed 4 years ago

chengsteven commented 4 years ago

Guest VM has 4GB mem and 1 vcpu Profile was generated using volatility3/pdbconv

Crash only occurs when a new application is launched within the VM.

Debug Log:

1581524254.692014 [DKOMmon] Error. Failed to read virtual address.
1581524254.692084 CR3 cb on vCPU 0: 0x4d531002
1581524254.692500 Pre mem cb with vCPU 0 @ 0x2370090 in view 1: r--
1581524254.692527 Switching to altp2m view 0 on vCPU 0
1581524254.692606 Post mem cb @ 0x2370090 vCPU 0 altp2m 0
1581524254.692708 Pre mem cb with vCPU 0 @ 0x2370090 in view 1: r--
1581524254.692729 Switching to altp2m view 0 on vCPU 0
1581524254.692804 Post mem cb @ 0x2370090 vCPU 0 altp2m 0
1581524254.692980 Pre mem cb with vCPU 0 @ 0x2370090 in view 1: r--
1581524254.693001 Switching to altp2m view 0 on vCPU 0
1581524254.693077 Post mem cb @ 0x2370090 vCPU 0 altp2m 0
1581524254.693176 Pre mem cb with vCPU 0 @ 0x2370090 in view 1: r--
1581524254.693197 Switching to altp2m view 0 on vCPU 0
1581524254.693273 Post mem cb @ 0x2370090 vCPU 0 altp2m 0
1581524254.693371 Pre mem cb with vCPU 0 @ 0x22664a8 in view 1: r--
1581524254.693391 Switching to altp2m view 0 on vCPU 0
1581524254.693468 Post mem cb @ 0x22664a8 vCPU 0 altp2m 0
1581524254.693553 Pre mem cb with vCPU 0 @ 0x22664a8 in view 1: rw-
1581524254.693573 Switching to altp2m view 0 on vCPU 0
1581524254.693649 Post mem cb @ 0x22664a8 vCPU 0 altp2m 0
1581524254.693663 Re-copying remapped gfn
1581524254.693818 Pre mem cb with vCPU 0 @ 0x2266160 in view 1: r--
1581524254.693842 Switching to altp2m view 0 on vCPU 0
1581524254.693917 Post mem cb @ 0x2266160 vCPU 0 altp2m 0
1581524254.694000 Pre mem cb with vCPU 0 @ 0x2266160 in view 1: rw-
1581524254.694021 Switching to altp2m view 0 on vCPU 0
1581524254.694098 Post mem cb @ 0x2266160 vCPU 0 altp2m 0
1581524254.694113 Re-copying remapped gfn
1581524254.694266 Pre mem cb with vCPU 0 @ 0x2266160 in view 1: r--
1581524254.694289 Switching to altp2m view 0 on vCPU 0
1581524254.694364 Post mem cb @ 0x2266160 vCPU 0 altp2m 0
1581524254.694453 Pre mem cb with vCPU 0 @ 0x23700d8 in view 1: r--
1581524254.694474 Switching to altp2m view 0 on vCPU 0
1581524254.694552 Post mem cb @ 0x23700d8 vCPU 0 altp2m 0
1581524254.694653 Pre mem cb with vCPU 0 @ 0x2266160 in view 1: r--
1581524254.694673 Switching to altp2m view 0 on vCPU 0
1581524254.694751 Post mem cb @ 0x2266160 vCPU 0 altp2m 0
1581524254.694835 Pre mem cb with vCPU 0 @ 0x2370090 in view 1: r--
1581524254.694856 Switching to altp2m view 0 on vCPU 0
1581524254.694933 Post mem cb @ 0x2370090 vCPU 0 altp2m 0
1581524254.695036 CR3 cb on vCPU 0: 0x56c30001
1581524254.695396 [DKOMmon] Error. Failed to read virtual address.
1581524254.695465 CR3 cb on vCPU 0: 0x4d531002
1581524254.695894 Switching altp2m and to singlestep on vcpu 0
1581524254.695977 reset trap on vCPU 0, switching altp2m 0->1
1581524254.696059 CR3 cb on vCPU 0: 0xd557002
1581524254.696645 CR3 cb on vCPU 0: 0xd556001
1581524254.697031 [DKOMmon] Error. Failed to read virtual address.
1581524254.697099 CR3 cb on vCPU 0: 0xd557002
1581524254.697624 Switching altp2m and to singlestep on vcpu 0
1581524254.697708 reset trap on vCPU 0, switching altp2m 0->1
1581524254.697813 Switching altp2m and to singlestep on vcpu 0
1581524254.697893 reset trap on vCPU 0, switching altp2m 0->1
1581524254.698018 Pre mem cb with vCPU 0 @ 0x2266198 in view 1: r--
1581524254.698040 Switching to altp2m view 0 on vCPU 0
1581524254.698121 Post mem cb @ 0x2266198 vCPU 0 altp2m 0
1581524254.698219 Pre mem cb with vCPU 0 @ 0x22664c8 in view 1: r--
1581524254.698240 Switching to altp2m view 0 on vCPU 0
1581524254.698318 Post mem cb @ 0x22664c8 vCPU 0 altp2m 0
1581524254.698401 Pre mem cb with vCPU 0 @ 0x22664c0 in view 1: r--
1581524254.698422 Switching to altp2m view 0 on vCPU 0
1581524254.698497 Post mem cb @ 0x22664c0 vCPU 0 altp2m 0
1581524254.698599 Switching altp2m and to singlestep on vcpu 0
1581524254.698678 reset trap on vCPU 0, switching altp2m 0->1
1581524254.698756 CR3 cb on vCPU 0: 0xd556001
1581524254.699140 [DKOMmon] Error. Failed to read virtual address.
1581524254.699209 CR3 cb on vCPU 0: 0xd557002
1581524254.699641 Switching altp2m and to singlestep on vcpu 0
1581524254.699724 reset trap on vCPU 0, switching altp2m 0->1
1581524254.699826 Switching altp2m and to singlestep on vcpu 0
1581524254.699904 reset trap on vCPU 0, switching altp2m 0->1
1581524254.699982 CR3 cb on vCPU 0: 0xd556001
1581524254.700340 [DKOMmon] Error. Failed to read virtual address.
1581524254.700406 CR3 cb on vCPU 0: 0xd557002
1581524254.700836 Switching altp2m and to singlestep on vcpu 0
1581524254.700917 reset trap on vCPU 0, switching altp2m 0->1
1581524254.701027 Switching altp2m and to singlestep on vcpu 0
1581524254.701106 reset trap on vCPU 0, switching altp2m 0->1
1581524254.701199 Switching altp2m and to singlestep on vcpu 0
1581524254.701277 reset trap on vCPU 0, switching altp2m 0->1
1581524254.701354 CR3 cb on vCPU 0: 0xd556001
1581524254.701714 [DKOMmon] Error. Failed to read virtual address.
1581524254.701781 CR3 cb on vCPU 0: 0xd557002
1581524254.702217 Switching altp2m and to singlestep on vcpu 0
1581524254.702298 reset trap on vCPU 0, switching altp2m 0->1
1581524254.702407 Switching altp2m and to singlestep on vcpu 0
1581524254.702487 reset trap on vCPU 0, switching altp2m 0->1
1581524254.702599 Pre mem cb with vCPU 0 @ 0x2266198 in view 1: r--
1581524254.702620 Switching to altp2m view 0 on vCPU 0
1581524254.702700 Post mem cb @ 0x2266198 vCPU 0 altp2m 0
1581524254.703101 Pre mem cb with vCPU 0 @ 0x2266958 in view 1: r--
1581524254.703122 Switching to altp2m view 0 on vCPU 0
1581524254.703214 Post mem cb @ 0x2266958 vCPU 0 altp2m 0
chengsteven commented 4 years ago

Using a profile generated by https://github.com/CERT-Polska/drakpdb still crashes the VM

Debug log:

1581525638.473516 [DKOMmon] Error. Failed to read virtual address.
1581525638.473587 CR3 cb on vCPU 0: 0x4d531002
1581525638.474174 CR3 cb on vCPU 0: 0x56c30001
1581525638.474543 [DKOMmon] Error. Failed to read virtual address.
1581525638.474610 CR3 cb on vCPU 0: 0x4d531002
1581525638.475069 Switching altp2m and to singlestep on vcpu 0
1581525638.475154 reset trap on vCPU 0, switching altp2m 0->1
1581525638.475245 Switching altp2m and to singlestep on vcpu 0
1581525638.475342 reset trap on vCPU 0, switching altp2m 0->1
1581525638.475421 CR3 cb on vCPU 0: 0x56c30001
1581525638.475783 [DKOMmon] Error. Failed to read virtual address.
1581525638.475853 CR3 cb on vCPU 0: 0x4d531002
1581525638.476307 Switching altp2m and to singlestep on vcpu 0
1581525638.476389 reset trap on vCPU 0, switching altp2m 0->1
1581525638.476481 Switching altp2m and to singlestep on vcpu 0
1581525638.476562 reset trap on vCPU 0, switching altp2m 0->1
1581525638.476672 CR3 cb on vCPU 0: 0x56c30001
1581525638.477213 [DKOMmon] Error. Failed to read virtual address.
1581525638.477290 CR3 cb on vCPU 0: 0x4d531002
1581525638.477747 Switching altp2m and to singlestep on vcpu 0
1581525638.477828 reset trap on vCPU 0, switching altp2m 0->1
1581525638.477919 Switching altp2m and to singlestep on vcpu 0
1581525638.478017 reset trap on vCPU 0, switching altp2m 0->1
1581525638.478173 Switching altp2m and to singlestep on vcpu 0
1581525638.478254 reset trap on vCPU 0, switching altp2m 0->1
1581525638.478354 Switching altp2m and to singlestep on vcpu 0
1581525638.478448 reset trap on vCPU 0, switching altp2m 0->1
1581525638.478581 CR3 cb on vCPU 0: 0x56c30001
1581525638.478957 [DKOMmon] Error. Failed to read virtual address.
1581525638.479096 CR3 cb on vCPU 0: 0x4d531002
1581525638.479518 Switching altp2m and to singlestep on vcpu 0
1581525638.479600 reset trap on vCPU 0, switching altp2m 0->1
1581525638.479791 Switching altp2m and to singlestep on vcpu 0
1581525638.479873 reset trap on vCPU 0, switching altp2m 0->1
1581525638.479947 CR3 cb on vCPU 0: 0x56c30001
1581525638.480318 [DKOMmon] Error. Failed to read virtual address.
1581525638.480400 CR3 cb on vCPU 0: 0x4d531002
1581525638.480844 Switching altp2m and to singlestep on vcpu 0
1581525638.480925 reset trap on vCPU 0, switching altp2m 0->1
1581525638.481017 Switching altp2m and to singlestep on vcpu 0
1581525638.481088 reset trap on vCPU 0, switching altp2m 0->1
1581525638.481167 CR3 cb on vCPU 0: 0x56c30001
1581525638.481534 [DKOMmon] Error. Failed to read virtual address.
1581525638.481613 CR3 cb on vCPU 0: 0x4d531002
1581525638.482048 Switching altp2m and to singlestep on vcpu 0
1581525638.482130 reset trap on vCPU 0, switching altp2m 0->1
1581525638.482237 Switching altp2m and to singlestep on vcpu 0
1581525638.482327 reset trap on vCPU 0, switching altp2m 0->1
1581525638.482438 CR3 cb on vCPU 0: 0x56c30001
1581525638.482845 [DKOMmon] Error. Failed to read virtual address.
1581525638.482924 CR3 cb on vCPU 0: 0x4d531002
1581525638.483387 Switching altp2m and to singlestep on vcpu 0
1581525638.483471 reset trap on vCPU 0, switching altp2m 0->1
1581525638.483561 Switching altp2m and to singlestep on vcpu 0
1581525638.483639 reset trap on vCPU 0, switching altp2m 0->1
1581525638.483717 CR3 cb on vCPU 0: 0x56c30001
1581525638.484085 [DKOMmon] Error. Failed to read virtual address.
1581525638.484158 CR3 cb on vCPU 0: 0x4d531002
1581525638.484597 Switching altp2m and to singlestep on vcpu 0
1581525638.484677 reset trap on vCPU 0, switching altp2m 0->1
1581525638.484765 CR3 cb on vCPU 0: 0xb3aa002
1581525638.485213 Switching altp2m and to singlestep on vcpu 0
1581525638.485294 reset trap on vCPU 0, switching altp2m 0->1
1581525638.485384 Switching altp2m and to singlestep on vcpu 0
1581525638.485478 reset trap on vCPU 0, switching altp2m 0->1
1581525638.485561 CR3 cb on vCPU 0: 0xeea9001
1581525638.485927 [DKOMmon] Error. Failed to read virtual address.
1581525638.486003 CR3 cb on vCPU 0: 0xb3aa002
1581525638.486442 Switching altp2m and to singlestep on vcpu 0
1581525638.486525 reset trap on vCPU 0, switching altp2m 0->1
1581525638.486659 Switching altp2m and to singlestep on vcpu 0
1581525638.486740 reset trap on vCPU 0, switching altp2m 0->1
1581525638.486817 CR3 cb on vCPU 0: 0xeea9001
1581525638.487217 [DKOMmon] Error. Failed to read virtual address.
1581525638.487310 CR3 cb on vCPU 0: 0xb3aa002
1581525638.487765 Switching altp2m and to singlestep on vcpu 0
1581525638.487847 reset trap on vCPU 0, switching altp2m 0->1
1581525638.487937 Switching altp2m and to singlestep on vcpu 0
1581525638.488015 reset trap on vCPU 0, switching altp2m 0->1
1581525638.488094 CR3 cb on vCPU 0: 0xeea9001
1581525638.488458 [DKOMmon] Error. Failed to read virtual address.
1581525638.488530 CR3 cb on vCPU 0: 0xb3aa002
1581525638.489130 Switching altp2m and to singlestep on vcpu 0
1581525638.489213 reset trap on vCPU 0, switching altp2m 0->1
1581525638.489319 Switching altp2m and to singlestep on vcpu 0
1581525638.489414 reset trap on vCPU 0, switching altp2m 0->1
1581525638.489493 CR3 cb on vCPU 0: 0xeea9001
1581525638.489860 [DKOMmon] Error. Failed to read virtual address.
1581525638.489945 CR3 cb on vCPU 0: 0xb3aa002
1581525638.490416 Switching altp2m and to singlestep on vcpu 0
1581525638.490499 reset trap on vCPU 0, switching altp2m 0->1
1581525638.490642 Switching altp2m and to singlestep on vcpu 0
1581525638.490724 reset trap on vCPU 0, switching altp2m 0->1
1581525638.490803 CR3 cb on vCPU 0: 0xeea9001
1581525638.491188 [DKOMmon] Error. Failed to read virtual address.
1581525638.491260 CR3 cb on vCPU 0: 0xb3aa002
1581525638.491736 Switching altp2m and to singlestep on vcpu 0
1581525638.491819 reset trap on vCPU 0, switching altp2m 0->1
1581525638.491923 Switching altp2m and to singlestep on vcpu 0
1581525638.492004 reset trap on vCPU 0, switching altp2m 0->1
1581525638.492096 CR3 cb on vCPU 0: 0xeea9001
1581525638.492471 [DKOMmon] Error. Failed to read virtual address.
1581525638.492537 CR3 cb on vCPU 0: 0xb3aa002
1581525638.492974 Switching altp2m and to singlestep on vcpu 0
1581525638.493057 reset trap on vCPU 0, switching altp2m 0->1
1581525638.493187 Switching altp2m and to singlestep on vcpu 0
1581525638.493269 reset trap on vCPU 0, switching altp2m 0->1
1581525638.493347 CR3 cb on vCPU 0: 0xeea9001
1581525638.493714 [DKOMmon] Error. Failed to read virtual address.
1581525638.493834 CR3 cb on vCPU 0: 0xb3aa002
1581525638.494271 Switching altp2m and to singlestep on vcpu 0
1581525638.494352 reset trap on vCPU 0, switching altp2m 0->1
1581525638.494442 Switching altp2m and to singlestep on vcpu 0
1581525638.494521 reset trap on vCPU 0, switching altp2m 0->1
1581525638.494596 CR3 cb on vCPU 0: 0xeea9001
1581525638.495003 [DKOMmon] Error. Failed to read virtual address.
1581525638.495067 CR3 cb on vCPU 0: 0xb3aa002
1581525638.495504 Switching altp2m and to singlestep on vcpu 0
1581525638.495587 reset trap on vCPU 0, switching altp2m 0->1
1581525638.495687 Switching altp2m and to singlestep on vcpu 0
1581525638.495788 reset trap on vCPU 0, switching altp2m 0->1
1581525638.495866 CR3 cb on vCPU 0: 0xeea9001
1581525638.496229 [DKOMmon] Error. Failed to read virtual address.
1581525638.496306 CR3 cb on vCPU 0: 0xb3aa002
1581525638.496789 Switching altp2m and to singlestep on vcpu 0
1581525638.496898 reset trap on vCPU 0, switching altp2m 0->1
1581525638.497002 CR3 cb on vCPU 0: 0x15fc0002
1581525638.497592 CR3 cb on vCPU 0: 0x161bf001
1581525638.497967 [DKOMmon] Error. Failed to read virtual address.
1581525638.498264 CR3 cb on vCPU 0: 0x15fc0002
1581525638.498691 Switching altp2m and to singlestep on vcpu 0
1581525638.498777 reset trap on vCPU 0, switching altp2m 0->1
1581525638.498874 Switching altp2m and to singlestep on vcpu 0
1581525638.498951 reset trap on vCPU 0, switching altp2m 0->1
1581525638.499049 CR3 cb on vCPU 0: 0x161bf001
1581525638.499412 [DKOMmon] Error. Failed to read virtual address.
1581525638.499475 CR3 cb on vCPU 0: 0x15fc0002
1581525638.499915 Switching altp2m and to singlestep on vcpu 0
1581525638.499994 reset trap on vCPU 0, switching altp2m 0->1
1581525638.500091 Switching altp2m and to singlestep on vcpu 0
1581525638.500169 reset trap on vCPU 0, switching altp2m 0->1
1581525638.500246 CR3 cb on vCPU 0: 0x161bf001
1581525638.500615 [DKOMmon] Error. Failed to read virtual address.
1581525638.500678 CR3 cb on vCPU 0: 0x15fc0002
1581525638.501116 Switching altp2m and to singlestep on vcpu 0
1581525638.501195 reset trap on vCPU 0, switching altp2m 0->1
1581525638.501275 CR3 cb on vCPU 0: 0x161bf001
1581525638.501641 [DKOMmon] Error. Failed to read virtual address.
1581525638.501710 CR3 cb on vCPU 0: 0x15fc0002
1581525638.502160 Switching altp2m and to singlestep on vcpu 0
1581525638.502240 reset trap on vCPU 0, switching altp2m 0->1
1581525638.502327 Switching altp2m and to singlestep on vcpu 0
1581525638.502399 reset trap on vCPU 0, switching altp2m 0->1
1581525638.502474 CR3 cb on vCPU 0: 0x161bf001
1581525638.502846 [DKOMmon] Error. Failed to read virtual address.
1581525638.502925 CR3 cb on vCPU 0: 0x15fc0002
1581525638.503365 Switching altp2m and to singlestep on vcpu 0
1581525638.503445 reset trap on vCPU 0, switching altp2m 0->1
1581525638.503529 CR3 cb on vCPU 0: 0x10122d002
1581525638.504120 Switching altp2m and to singlestep on vcpu 0
1581525638.504203 reset trap on vCPU 0, switching altp2m 0->1
1581525638.504316 Switching altp2m and to singlestep on vcpu 0
1581525638.504396 reset trap on vCPU 0, switching altp2m 0->1
1581525638.504650 CR3 cb on vCPU 0: 0x1aa002
1581525638.505058 CR3 cb on vCPU 0: 0x10122d002
1581525638.505486 CR3 cb on vCPU 0: 0x6fbce002
1581525638.506036 Switching altp2m and to singlestep on vcpu 0
1581525638.506123 reset trap on vCPU 0, switching altp2m 0->1
1581525638.506227 CR3 cb on vCPU 0: 0x377cd001
1581525638.506621 [DKOMmon] Error. Failed to read virtual address.
1581525638.506726 CR3 cb on vCPU 0: 0x6fbce002
1581525638.507196 Switching altp2m and to singlestep on vcpu 0
1581525638.507279 reset trap on vCPU 0, switching altp2m 0->1
1581525638.507374 Switching altp2m and to singlestep on vcpu 0
1581525638.507448 reset trap on vCPU 0, switching altp2m 0->1
1581525638.507525 CR3 cb on vCPU 0: 0x377cd001
1581525638.507891 [DKOMmon] Error. Failed to read virtual address.
1581525638.507960 CR3 cb on vCPU 0: 0x6fbce002
1581525638.508399 Switching altp2m and to singlestep on vcpu 0
1581525638.508479 reset trap on vCPU 0, switching altp2m 0->1
1581525638.508574 Switching altp2m and to singlestep on vcpu 0
1581525638.508653 reset trap on vCPU 0, switching altp2m 0->1
1581525638.508729 CR3 cb on vCPU 0: 0x377cd001
1581525638.509098 [DKOMmon] Error. Failed to read virtual address.
1581525638.509164 CR3 cb on vCPU 0: 0x6fbce002
1581525638.509601 Switching altp2m and to singlestep on vcpu 0
1581525638.509683 reset trap on vCPU 0, switching altp2m 0->1
1581525638.509851 Switching altp2m and to singlestep on vcpu 0
1581525638.509934 reset trap on vCPU 0, switching altp2m 0->1
1581525638.510011 CR3 cb on vCPU 0: 0x377cd001
1581525638.510525 [DKOMmon] Error. Failed to read virtual address.
1581525638.510775 CR3 cb on vCPU 0: 0x6fbce002
1581525638.511227 Switching altp2m and to singlestep on vcpu 0
1581525638.511311 reset trap on vCPU 0, switching altp2m 0->1
1581525638.511404 Switching altp2m and to singlestep on vcpu 0
1581525638.511477 reset trap on vCPU 0, switching altp2m 0->1
1581525638.511555 CR3 cb on vCPU 0: 0x377cd001
1581525638.511925 [DKOMmon] Error. Failed to read virtual address.
1581525638.511989 CR3 cb on vCPU 0: 0x6fbce002
1581525638.512426 Switching altp2m and to singlestep on vcpu 0
1581525638.512506 reset trap on vCPU 0, switching altp2m 0->1
1581525638.512594 CR3 cb on vCPU 0: 0x71e73002
1581525638.513129 Switching altp2m and to singlestep on vcpu 0
1581525638.513212 reset trap on vCPU 0, switching altp2m 0->1
1581525638.513298 CR3 cb on vCPU 0: 0x22872001
1581525638.513718 [DKOMmon] Error. Failed to read virtual address.
1581525638.513913 CR3 cb on vCPU 0: 0x71e73002
1581525638.514361 Switching altp2m and to singlestep on vcpu 0
1581525638.514448 reset trap on vCPU 0, switching altp2m 0->1
1581525638.514586 Switching altp2m and to singlestep on vcpu 0
1581525638.514666 reset trap on vCPU 0, switching altp2m 0->1
1581525638.514743 CR3 cb on vCPU 0: 0x22872001
1581525638.515148 [DKOMmon] Error. Failed to read virtual address.
1581525638.515248 CR3 cb on vCPU 0: 0x71e73002
1581525638.515698 Switching altp2m and to singlestep on vcpu 0
1581525638.515779 reset trap on vCPU 0, switching altp2m 0->1
1581525638.515874 Switching altp2m and to singlestep on vcpu 0
1581525638.515950 reset trap on vCPU 0, switching altp2m 0->1
1581525638.516029 CR3 cb on vCPU 0: 0x22872001
1581525638.516392 [DKOMmon] Error. Failed to read virtual address.
1581525638.516544 CR3 cb on vCPU 0: 0x71e73002
1581525638.519168 Switching altp2m and to singlestep on vcpu 0
1581525638.519253 reset trap on vCPU 0, switching altp2m 0->1
1581525638.519394 Switching altp2m and to singlestep on vcpu 0
1581525638.519478 reset trap on vCPU 0, switching altp2m 0->1
1581525638.519559 CR3 cb on vCPU 0: 0x22872001
1581525638.521386 [DKOMmon] Error. Failed to read virtual address.
1581525638.521458 CR3 cb on vCPU 0: 0x71e73002
1581525638.522061 CR3 cb on vCPU 0: 0x22872001
1581525638.522419 [DKOMmon] Error. Failed to read virtual address.
1581525638.522504 CR3 cb on vCPU 0: 0x71e73002
1581525638.522986 Switching altp2m and to singlestep on vcpu 0
1581525638.523071 reset trap on vCPU 0, switching altp2m 0->1
1581525638.523185 Switching altp2m and to singlestep on vcpu 0
1581525638.523286 reset trap on vCPU 0, switching altp2m 0->1
1581525638.523363 CR3 cb on vCPU 0: 0x22872001
1581525638.523748 [DKOMmon] Error. Failed to read virtual address.
1581525638.523881 CR3 cb on vCPU 0: 0x71e73002
1581525638.524386 Switching altp2m and to singlestep on vcpu 0
1581525638.524468 reset trap on vCPU 0, switching altp2m 0->1
1581525638.524561 CR3 cb on vCPU 0: 0x35a24002
1581525638.525136 Switching altp2m and to singlestep on vcpu 0
1581525638.525239 reset trap on vCPU 0, switching altp2m 0->1
1581525638.525316 CR3 cb on vCPU 0: 0x37a23001
1581525638.525702 [DKOMmon] Error. Failed to read virtual address.
1581525638.525781 CR3 cb on vCPU 0: 0x35a24002
1581525638.526237 Switching altp2m and to singlestep on vcpu 0
1581525638.526321 reset trap on vCPU 0, switching altp2m 0->1
1581525638.526427 Switching altp2m and to singlestep on vcpu 0
1581525638.526499 reset trap on vCPU 0, switching altp2m 0->1
1581525638.526578 CR3 cb on vCPU 0: 0x37a23001
1581525638.526966 [DKOMmon] Error. Failed to read virtual address.
1581525638.527037 CR3 cb on vCPU 0: 0x35a24002
1581525638.527483 Switching altp2m and to singlestep on vcpu 0
1581525638.527566 reset trap on vCPU 0, switching altp2m 0->1
1581525638.527669 Switching altp2m and to singlestep on vcpu 0
1581525638.527769 reset trap on vCPU 0, switching altp2m 0->1
1581525638.527849 CR3 cb on vCPU 0: 0x37a23001
1581525638.528232 [DKOMmon] Error. Failed to read virtual address.
1581525638.528298 CR3 cb on vCPU 0: 0x35a24002
1581525638.528742 Switching altp2m and to singlestep on vcpu 0
1581525638.528826 reset trap on vCPU 0, switching altp2m 0->1
1581525638.528928 Switching altp2m and to singlestep on vcpu 0
1581525638.529026 reset trap on vCPU 0, switching altp2m 0->1
1581525638.529103 CR3 cb on vCPU 0: 0x37a23001
1581525638.529469 [DKOMmon] Error. Failed to read virtual address.
1581525638.529554 CR3 cb on vCPU 0: 0x35a24002
1581525638.529999 Switching altp2m and to singlestep on vcpu 0
1581525638.530082 reset trap on vCPU 0, switching altp2m 0->1
1581525638.530200 Switching altp2m and to singlestep on vcpu 0
1581525638.530281 reset trap on vCPU 0, switching altp2m 0->1
1581525638.530359 CR3 cb on vCPU 0: 0x37a23001
1581525638.530725 [DKOMmon] Error. Failed to read virtual address.
1581525638.530969 CR3 cb on vCPU 0: 0x35a24002
1581525638.531392 Switching altp2m and to singlestep on vcpu 0
1581525638.531475 reset trap on vCPU 0, switching altp2m 0->1
1581525638.531632 Switching altp2m and to singlestep on vcpu 0
1581525638.531713 reset trap on vCPU 0, switching altp2m 0->1
1581525638.531824 Switching altp2m and to singlestep on vcpu 0
tklengyel commented 4 years ago

The guest should never crash irrespective of what tool you used to generate the json profile. I would ask you to try to disable all plugins and enable them one-by-one to see if its a particular plugin that causes this issue for you.

tklengyel commented 4 years ago

Also, describe what you mean by crash: is it a blue screen or the VM itself crashes? Posting the Xen log would also be helpful.

chengsteven commented 4 years ago

Crash as in no blue screen and when running xl list, the VM is no longer there.

Just tested running the application itself without drakvuf running and no crash occurs.

I'm not sure where to get the best Xen logs. Is the recommended way using xen-bugtool or /var/log/xen/ ?

xl-win10.log:

Waiting for domain win10 (domid 314) to die [pid 23429]
Domain 314 has been destroyed.

qemu-dm-win10.log:

qemu-system-i386: -usbdevice tablet: '-usbdevice' is deprecated, please use '-device usb-...' instead
xen_ram_alloc: do not alloc 10f800000 bytes of ram at 0 when runstate is INMIGRATE
xen_ram_alloc: do not alloc 800000 bytes of ram at 10f800000 when runstate is INMIGRATE
xen_ram_alloc: do not alloc 10000 bytes of ram at 110000000 when runstate is INMIGRATE
xen_ram_alloc: do not alloc 40000 bytes of ram at 110040000 when runstate is INMIGRATE
VNC server running on 127.0.0.1:5935
Replacing a dummy mapcache entry for 000000010f800000 with 00000000f0000000
qemu-system-i386: Expected vmdescription section, but got 0
qemu-system-i386: terminating on signal 1 from pid 24300 (xl)
chengsteven commented 4 years ago

Ran drakvuf w/ only syscalls plugin and crash occurs.

tklengyel commented 4 years ago

OK so if the VM just disappears that means that Xen must have crashed it. You get the Xen log by running xl dmesg. You might have to compile a debug version of Xen as well and adding loglvl=all guestloglvl=all to your Xen boot command line to get a more in-depth log.

chengsteven commented 4 years ago

I'll try to extract some xen logs, but will have to find some new hardware since the current box is being used my many people.

In the meantime, tested on Win10 1809 instead and it works better. Instead of the Xen destroying the VM, we are seeing that the VM is in shutdown|crashed state in xl list.

No 'crash' is seen when not running drakvuf however. Any thoughts?

tklengyel commented 4 years ago

since the current box is being used my many people

I suspect if this is a production system then it isn't running Xen 4.13 (the latest version) which is required.

kaboreka commented 4 years ago

I have same error. I didn't get any error while monitoring win7 vm but in windows 10, my system going to crash.(xen 4.13)

chengsteven commented 4 years ago

I can verify that it was running Xen 4.13 through xl info, however, this was installed via apt-get. On a new box, built latest Xen from source and this issue no longer pops up.

tklengyel commented 4 years ago

That's interesting, no clue why that would happen. Perhaps whoever compiled the package disabled some Xen feature we need.

icedevml commented 4 years ago

The Xen's altp2m is a pretty bleeding-edge feature, thus DRAKVUF expects that Xen is built from particular commit and the compatibility is assured against this particular commit but nothing more.

You may check drakvuf-releases: https://github.com/tklengyel/drakvuf-builds/releases

this is a big bundle which incorporates Xen, LibVMI and DRAKVUF in compatible versions/configurations. On the regular APT the configuration is sometimes different and some auxililary patches are applied.