Rust vmm initialization gets stuck with pmem

[Blightbuster]

Initializing vmm with the following parameters gets stuck right after this output in the console:

LcMemMap_AddRange: 0000000000001000-000000000009ffff -> 0000000000001000
LcMemMap_AddRange: 0000000000100000-0000000009afefff -> 0000000000100000
LcMemMap_AddRange: 000000000a000000-000000000a1fffff -> 000000000a000000
LcMemMap_AddRange: 000000000a210000-000000000affffff -> 000000000a210000
LcMemMap_AddRange: 000000000b021000-000000006e590fff -> 000000000b021000
LcMemMap_AddRange: 0000000079fff000-000000007bff8fff -> 0000000079fff000
LcMemMap_AddRange: 000000007bffe000-000000007bffffff -> 000000007bffe000
LcMemMap_AddRange: 0000000100000000-000000105de7ffff -> 0000000100000000
LeechCore v2.19.2: Open Device: pmem
[CORE]     DTB  located at: 00000000001ae000. MemoryModel: X64
[CORE]     NTOS located at: fffff80047e00000
[CORE]     PsInitialSystemProcess located at fffff80048b1ea60
[CORE]     EPROCESS located at ffffa50d0cfb6040
[PROCESS]  SYSTEM DTB: 00000000001ae000 EPROCESS: ffffa50d0cfb6040
0000    03 00 00 00 00 00 00 00  48 60 fb 0c 0d a5 ff ff   ........H`......
0010    48 60 fb 0c 0d a5 ff ff  58 60 fb 0c 0d a5 ff ff   H`......X`......
0020    58 60 fb 0c 0d a5 ff ff  00 e0 1a 00 00 00 00 00   X`..............
0030    38 83 f3 0c 0d a5 ff ff  78 c3 98 c2 0d a5 ff ff   8.......x.......
...
07c0    80 88 26 19 0d a5 ff ff  40 98 07 0e 0d a5 ff ff   ..&.....@.......
07d0    8c 01 00 00 03 01 00 00  b0 b0 cf 10 0d a5 ff ff   ................
07e0    90 ad cf 10 0d a5 ff ff  15 00 00 00 00 00 00 00   ................
07f0    00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
[PROCESS]  OK: TRUE
[PROCESS]      PID:  440 PPID: 540 STAT: 004 DTB:  028 DTBU: 000 NAME: 5a8 PEB: 550
[PROCESS]      FLnk: 448 BLnk: 450 oMax: 858 SeAu: 5c0 VadR: 7d8 ObjT: 570 WoW: 580
[PROCESS]  SYSTEM DTB: 00000000001ae000 EPROCESS: ffffa50d0cfb6040
[PROCESS]     # STATE  PID      DTB          EPROCESS         PEB          NAME

    let args = [
        "-printf",
        "-device",
        "pmem://winpmem_x64.sys",
        "-vv",
    ]
    .to_vec();

    let vmm = Vmm::new("vmm.dll", &args)
    .context("VMM initialization failed, try running as admin")?;

Im running from an admin shell btw :D

[Blightbuster]

Im on memprocfs = "5.12.0" and am using the vmm.dll from that release as well. The winpmem_x64.sys im using is from the this release after extracting it through the commandline option.

[Blightbuster]

Oh wow, dont mind me. Apparently restarting my pc fixed this? Im gonna close the issue for now then but might reopen later if I find a way to reproduce it.

[ufrisk]

Nice to see you got it to work,

And no need to keep me updated about it, it's more a winpmem driver issue rather than a memprocfs issue. Sometimes you can find out why it failed in the windows event log.

[Blightbuster]

Nice to see you got it to work,

And no need to keep me updated about it, it's more a winpmem driver issue rather than a memprocfs issue. Sometimes you can find out why it failed in the windows event log.

Im noticing that initializing vmm with pmem as a device, right after a pc restart is almost instant which is great. However after having my pc on for a few hours and initialzing vmm ~100 times in total, it starts to take longer and longer to initialize (two minutes by now).

When initially had the issue, I also had my pc running for a few days already so it checks out.

This might very well be an issue with winpmem, just letting you know incase it might be related to vmm and not winpmem 👀

[ufrisk]

Unfortunately I won't be able to do much about winpmem issues. I never heard about those kinds of initialization times when running from memory dumps or FPGAs so I'd assume it's related to winpmem.

[Blightbuster]

May it perhaps be related to vmm still? When I use '-printf -vv' it does seem to be able to read memory instantly as it instantly finds addresses like [CORE] EPROCESS located at ffffe301a39b6040 but then gets stuck right after this line [PROCESS] # STATE PID DTB EPROCESS PEB NAME where its trying to enumerate all processes.

The last line after it loaded is [PROCESS] 22712 (list) 00000004 0000001ae000 ffffe301a39b6040 000000000000 System so 22712 processes got enumerated?

[ufrisk]

Wow you have 22712 running (or terminated) processes. Yeah, then it will probably take time to start MemProcFS.

If you're able to share the memory dump I can take a look (zip it and send me the download link).

[ufrisk]

Like I mentioned earlier on I'd really need a memory dump for which I'm able to replicate this issue.

It's super rare to have these many processes running, and most likely solution to make it work better would be to increase a number of buffers. This would however impact normal use negatively memory wise, and MemProcFS is already a bit of a memory hog... Maybe some separate mode can be introduced to resolve this.

But I still would need a memory dump file which have this issue to be able to look into it better.