Cannot get MemProcFs working inside vmware

[th30nl1d3v]

Hi,

I can't seem to get memprocfs working inside vmware running windows 10 x64.

I've installed dokany file system and the required vs distributables and all files are stored in c:.

The error with winpmem (I tried both att_winpmem_64.sy and winpmem_64.sy)

.\MemProcFS.exe -device 'pmem://C:\tools\c-aff4\tools\pmem\resources\winpmem\att_winpmem_64.sys'
DEVICE: ERROR: Unable to load driver into kernel.
Is project executable running from the C:\ drive ?
MemProcFS: Failed to connect to memory acquisition device.

The error with dumpit

.\DumpIt.exe /LIVEKD /A .\MemProcFS.exe

  DumpIt 3.0.20201127.1 (X64) (Nov 27 2020)
  Copyright (C) 2007 - 2020, Matt Suiche (msuiche)
  Copyright (C) 2016 - 2020, Comae Technologies DMCC <https://www.comae.com>
  All rights reserved.

  DumpIt is the best for acquisition but... our platform Stardust is also the best for analysis!
  Access it on https://my.comae.com - info@comae.com if you have any questions.

Launching .\MemProcFS.exe...
VmmProc: Unable to auto-identify operating system for PROC file system mount.
         Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known.
MOUNT: INFO: PROC file system not mounted.

The steps I that followed worked on my host machine but not in the vm.

Any help is greatly appreciated.

[ufrisk]

Are you starting MemProcFS/DumpIt from an elevated administrator command prompt? This is needed since both DumpIt and WinPMEM will have to load a driver into the kernel to access the memory.

Your DumpIt error seems to be a bit curios though; I'm not certain it have to do with this. If it's not working it would be interesting if the DumpIt memory dump file (created when running DumpIt in standalone more) would work.

Please let me know how it goes.

[th30nl1d3v]

I ran all instructions from an an elevated administrator command prompt. Both winpmem and dumpit worked in my host machine, just not in the vm.

Per your suggestion, I ran dumpit to get memory dump and then ran memprocfs against the .dmp but got the following error:

VmmProc: Unable to auto-identify operating system for PROC file system mount.
         Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known.
MOUNT: INFO: PROC file system not mounted.

[ufrisk]

that's a bit strange; are you by chance running with dynamic memory/balloning (or similar I don't know what's it named on VMWare); statically sized memory may work better.

Is there any chance that you're able to share the .dmp file with me so I can take a look at it; if you wish you can email me the link to it at pcileech@frizk.net ; regardless about what you come up with about the memory it may be interesting for me to take a look at it to see what I can do about it.

Please note that memory dumps contain sensitive information such as passwords and crypto keys for vpn certificates; if this is a corporate machine I fully understand if you're not able to share it; but if it's a lab machine it would be great so it would possibly allow me to fix the issue in the release I have planned for next week.

[th30nl1d3v]

Sorry, I'm not allowed to do so. But if you want to replicate my steps then all I did was downloaded trial version of vmware workstation pro (windows) and a trial version of windows 10 x64 iso. The rest is as stated on your github,

[ufrisk]

Problem is that it's not as easy as that. MemProcFS works with many memory dumps taken from within VMWare. I suspect it may be other factors at play here as well. If you're able to replicate on a trial installation that memory dump shouldn't have any interesting information in it if possible. If this is still not possible I'll look into it as well; but chances are it will be sometime early next year instead of this weekend unfortunately :\

one thing that you can try before the above that might just help me (if super lucky) is to try: MemProcFS.exe -device dumpitdump.dmp -v -vv what output does it give before it fails?

Also, I would need to know:

• CPU model
• Memory configuration
• Windows 10 version (release / build)

But absolutely best would be if I could get a memory dump that I'm able to replicate the error on.

[th30nl1d3v]

It's a really sticky situation for me. I'm using a work issued device and so am hesitant to send off any data even if it's generated inside a vm.

DeviceFile_MsCrashCoreDumpInitialize: 64-bit Microsoft Crash Dump identified.
LcMemMap_AddRange: 0000000000001000-000000000009ffff -> 0000000000002000
LcMemMap_AddRange: 0000000000100000-000000000eef0fff -> 00000000000a1000
LcMemMap_AddRange: 000000000eefa000-000000000ef0cfff -> 000000000ee92000
LcMemMap_AddRange: 000000000ef12000-000000000ef2bfff -> 000000000eea5000
LcMemMap_AddRange: 000000000ef31000-000000000fee6fff -> 000000000eebf000
LcMemMap_AddRange: 000000000ff77000-000000007fffffff -> 000000000fe75000
DEVICE: Successfully opened file: 'dumpitdump.dmp' as Microsoft Crash Dump.
LeechCore v2.2.1: Open Device: file
VmmWinInit_TryInitialize: Warning: Unable to verify crash-dump supplied DTB. (0x00000000001ad002) #1
VmmProc: Unable to auto-identify operating system for PROC file system mount.
         Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known.
MOUNT: INFO: PROC file system not mounted.

Thanks for your help,

[ufrisk]

it seems like it's not able to validate the directory table base located at file offset: 1ad000-100000+a1000

can you please if you're able post the hexdump of the 4096 bytes starting dump file offset 0x14E000 / 1368064

[th30nl1d3v]

I'll see if I can replicate this on another machine and send you the dmp file. Please give me 10-12 hours. Thanks.

[ufrisk]

Is this now working with the new release?

[th30nl1d3v]

It is now working with dumpit but not winpmem (same error Is project executable running from the C:\ drive ?)

How do I initalize memprocfs in python with dumpit?

[ufrisk]

winpmem does not work in Windows 20.04 release yet unfortunately. Please see https://github.com/Velocidex/c-aff4/issues/144. I'll update the guide about this to clarify.

---

With DumpIt it's not as far as I know possible to start python with it. But there is a rather ugly workaround.

1 start an administrator command prompt 2 run: start DumpIt.exe /L /A c:\Windows\notepad.exe 3 don't close notepad! 4 start python from MemProcFS directory (normal or administrator cmd prompt does not matter) 5 run from vmmpy import * 6 VmmPy_Initialize(['-device', 'dumpit'])

---

another option may be to use my LeechAgent found in the "LeechCore" project and initialize that with DumpIt. You may then connect over the network (or to localhost) to the LeechAgent. But I would think this to be a bit more complicated than just going with the notepad hack.

Can you please confirm it's working with DumpIt this way.

[th30nl1d3v]

Yes, it is working!

Thanks for your help.

[ufrisk]

awesome and huge thanks for the help in fixing this issue. wish it would work with winpmem as well; but unfortunately it's out of my control.

I've updated the guide section about winpmem though; it's as much as I can do.

I'm closing this issue now. Thanks 👍