search

tklengyel / drakvuf

DRAKVUF Black-box Binary Analysis
https://drakvuf.com
Other
1.04k stars 249 forks source link

How to stop drakvuf correctly? Ctrl+C occasionally freezes my VM #991

Closed h4b4n3r0 closed 3 years ago

h4b4n3r0 commented 4 years ago

Hey guys,

Sometimes when I stop drakvuf with Ctrl+C it freezes my windows guest vm. I have no idea what happens there, but I have to destroy my vm and recreate it.

Is Ctrl+C the recommended way to stop a drakvuf monitoring session?

If I can provide any information I would be glad to help you. Thank you

icedevml commented 4 years ago

Could you check wirth -a syscalls command line option? Do you still have freezes on ctrl-c?

It is recommended option to stop with crrl-c and is explicitly handled in the code.

h4b4n3r0 commented 4 years ago

I'm currently running it already with -a syscalls.

sudo /pathto/drakvuf -r /win10.json -d win10 -S /pathto/syscalls_to_monitor -a syscalls | grep "name_of.exe"

icedevml commented 4 years ago

Could you paste your xl info?

h4b4n3r0 commented 3 years ago

Today it happened again:

Last lines of:

sudo ./src/drakvuf -r /root/win10.json -d win10  -S ~/drakvuf/masterthesis/syscallsmonitor -a syscalls
...
...
...
[SYSCALL] TIME:1601388275.939615 VCPU:1 CR3:0x6585D002 "\Device\HarddiskVolume2\Windows\System32\usocoreworker.exe":NtQueryValueKey SessionID:0 PID:2476 PPID:752 Module:"nt" vCPU:1 CR3:0x6585D002 Syscall:23 NArgs:6 KeyHandle:0x5D0 ValueName:"ConfigSourceConstrainedByCspFilter" KeyValueInformationClass:0x2 KeyValueInformation:0xC537B7BFF0 Length:0x14 ResultLength:0xC537B7BF88
^C[SYSCALL] TIME:1601388275.939766 VCPU:0 CR3:0x3D094002 "\Device\HarddiskVolume2\Windows\System32\svchost.exe":NtSetTimer2 SessionID:0 PID:1020 PPID:612 Module:"nt" vCPU:0 CR3:0x3D094002 Syscall:424 NArgs:0 
[SYSRET] TIME:1601388275.939842 VCPU:1 CR3:0x6585D002 "\Device\HarddiskVolume2\Windows\System32\usocoreworker.exe":NtQueryValueKey SessionID:0 PID:2476 PPID:752 Module:"nt" vCPU:1 CR3:0x6585D002 Syscall:23 Ret:0 Info:STATUS_SUCCESS

And the information you requested:

sudo xl info
host                   : kali-W350SKQ-W370SK
release                : 5.4.0-48-generic
version                : #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020
machine                : x86_64
nr_cpus                : 4
max_cpu_id             : 7
nr_nodes               : 1
cores_per_socket       : 4
threads_per_core       : 1
cpu_mhz                : 2394.454
hw_caps                : bfebfbff:76daf3bf:2c100800:00000021:00000001:000027ab:00000000:00000100
virt_caps              : pv hvm hap shadow
total_memory           : 16272
free_memory            : 8958
sharing_freed_memory   : 0
sharing_used_memory    : 0
outstanding_claims     : 0
free_cpus              : 0
xen_major              : 4
xen_minor              : 14
xen_extra              : .0
xen_version            : 4.14.0
xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64 
xen_scheduler          : credit2
xen_pagesize           : 4096
platform_params        : virt_start=0xffff800000000000
xen_changeset          : 
xen_commandline        : placeholder dom0_mem=4096M,max:4096M dom0_max_vcpus=4 dom0_vcpus_pin=1 force-ept=1 ept=pml=0 hap_1gb=0 hap_2mb=0 altp2m=1 smt=0
cc_compiler            : gcc (Ubuntu 9.3.0-10ubuntu2) 9.3.0
cc_compile_by          : kali
cc_compile_domain      : 
cc_compile_date        : Sat Sep 12 16:08:58 CEST 2020
build_id               : 81d3da994b309cd8e7262d6b23c75ab255d8071b
xend_config_format     : 4

It is somehow strange, since vncviewer does not react on key presses or mouse inputs anymore, but when restarting the above mentioned drakvuf command it still gives me some output. So it might rather be some problem with my tiger vncviewer? Strangely anyways this happens only, when quitting drakvuf with Strg+C.

h4b4n3r0 commented 3 years ago

Currently the guest crashes very often but now it's at the begin of monitoring: This is all I get. It might have something to do with the -S flag. I have the feeling it occurs quite often when using -S.

sudo ./src/drakvuf -r /root/win10.json -d win10 -a syscalls -S /xenguest/syscallsmonitor | grep testexe2.exe
1601409579.460668 DRAKVUF v0.8-git20200828135902+72a2535-1 Copyright (C) 2014-2020 Tamas K Lengyel

Again here is my xl info

sudo xl info
host                   : kali-W350SKQ-W370SK
release                : 5.4.0-48-generic
version                : #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020
machine                : x86_64
nr_cpus                : 4
max_cpu_id             : 7
nr_nodes               : 1
cores_per_socket       : 4
threads_per_core       : 1
cpu_mhz                : 2394.474
hw_caps                : bfebfbff:76daf3bf:2c100800:00000021:00000001:000027ab:00000000:00000100
virt_caps              : pv hvm hap shadow
total_memory           : 16272
free_memory            : 8958
sharing_freed_memory   : 0
sharing_used_memory    : 0
outstanding_claims     : 0
free_cpus              : 0
xen_major              : 4
xen_minor              : 14
xen_extra              : .0
xen_version            : 4.14.0
xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64 
xen_scheduler          : credit2
xen_pagesize           : 4096
platform_params        : virt_start=0xffff800000000000
xen_changeset          : 
xen_commandline        : placeholder dom0_mem=4096M,max:4096M dom0_max_vcpus=4 dom0_vcpus_pin=1 force-ept=1 ept=pml=0 hap_1gb=0 hap_2mb=0 altp2m=1 smt=0
cc_compiler            : gcc (Ubuntu 9.3.0-10ubuntu2) 9.3.0
cc_compile_by          : kali
cc_compile_domain      : 
cc_compile_date        : Sat Sep 12 16:08:58 CEST 2020
build_id               : 81d3da994b309cd8e7262d6b23c75ab255d8071b
xend_config_format     : 4
h4b4n3r0 commented 3 years ago

Since this didn't happen for the last weeks anymore, I'll close it.