Not working for Windows Server 2012

HSIS007 commented 3 years ago

D:\Memory Scan\MemProcFS_files_and_binaries_v3.7-20210109-2>MemProcFS.exe -device Server2012.dmp -vv DeviceFile_MsCrashCoreDumpInitialize: 64-bit Microsoft Crash Dump identified. LcMemMap_AddRange: 0000000000010000-000000000009ffff -> 0000000000002000 LcMemMap_AddRange: 0000000000100000-00000000b64fdfff -> 0000000000092000 LcMemMap_AddRange: 00000000b68fe000-00000000b6b88fff -> 00000000b6490000 LcMemMap_AddRange: 00000000b6d8a000-00000000b86bffff -> 00000000b671b000 LcMemMap_AddRange: 00000000b8a44000-00000000bca87fff -> 00000000b8051000 LcMemMap_AddRange: 00000000bcab8000-00000000bcaeffff -> 00000000bc095000 LcMemMap_AddRange: 0000000100000000-000000103fffffff -> 00000000bc0cd000 LeechCore v2.3.0: Open Device: file VmmWinInit_TryInitialize: INFO: DTB located at: 00000000040a8000. MemoryModel: X64 VmmWinInit_TryInitialize: INFO: NTOS located at: fffff80287e18000. VmmWinInit_FindSystemEPROCESS: INFO: PsInitialSystemProcess located at fffff80288167028. VmmWinInit_FindSystemEPROCESS: INFO: EPROCESS located at ffffe00172677500. VmmWinProcess_OffsetLocator64: SYSTEM DTB: 00000000040a8000 EPROCESS: ffffe00172677500 0000 03 00 b2 00 00 00 00 00 08 75 67 72 01 e0 ff ff .........ugr.... 0010 08 75 67 72 01 e0 ff ff 18 75 67 72 01 e0 ff ff .ugr.....ugr.... 0020 18 75 67 72 01 e0 ff ff 00 80 0a 04 00 00 00 00 .ugr............ 0030 78 cb 6b 72 01 e0 ff ff 38 43 75 72 01 e0 ff ff x.kr....8Cur.... 0040 00 00 00 00 00 00 00 00 01 00 14 00 00 00 00 00 ................ 0050 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00f0 f0 75 67 72 01 e0 ff ff f0 75 67 72 01 e0 ff ff .ugr.....ugr.... 0100 00 00 00 00 00 00 00 00 14 00 14 00 00 00 00 00 ................ 0110 ff ff ff fd 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0 81 00 00 00 08 24 00 00 04 00 00 00 00 00 00 00 .....$.......... 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0230 00 00 00 00 f0 09 00 00 78 68 30 79 01 e0 ff ff ........xh0y.... 0240 e0 49 0e 88 02 f8 ff ff 09 62 20 85 28 01 00 00 .I.......b .(... 0250 74 27 2b 01 00 00 00 00 00 00 00 00 00 00 00 00 t'+............. 0260 00 00 00 00 b1 41 00 00 00 00 00 00 00 00 00 00 .....A.......... 0270 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 0280 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 02a0 01 00 06 00 00 00 00 00 a8 77 67 72 01 e0 ff ff .........wgr.... 02b0 a8 77 67 72 01 e0 ff ff 00 00 00 00 00 00 00 00 .wgr............ 02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 02d0 b0 1d bd 90 55 ea d6 01 00 00 00 00 00 00 00 00 ....U........... 02e0 04 00 00 00 00 00 00 00 28 69 30 79 01 e0 ff ff ........(i0y.... 02f0 20 33 0c 88 02 f8 ff ff 00 d0 02 02 00 0c 04 14 3.............. 0300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0320 00 b0 e0 05 00 00 00 00 00 00 35 00 00 00 00 00 ..........5..... 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0340 00 00 00 00 00 00 00 00 ea 56 a0 28 01 c0 ff ff .........V.(.... 0350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0380 00 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00 ................ 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03b0 00 00 00 00 00 00 00 00 32 f4 04 21 00 00 00 00 ........2..!.... 03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0400 00 08 0f 88 02 f8 ff ff 00 30 a0 28 01 c0 ff ff .........0.(.... 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0420 70 c2 a0 28 01 c0 ff ff 00 00 00 00 00 00 00 00 p..(............ 0430 00 00 00 00 00 00 00 00 53 79 73 74 65 6d 00 00 ........System.. 0440 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 ................ 0450 10 f6 67 72 01 e0 ff ff 00 00 00 00 00 00 00 00 ..gr............ 0460 00 00 00 00 00 00 00 00 00 00 ff ff ff 7f 00 00 ............. .. 0470 08 cf 6b 72 01 e0 ff ff c8 46 75 72 01 e0 ff ff ..kr.....Fur.... 0480 20 01 00 00 00 00 00 00 05 00 00 00 00 00 00 00 ............... 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04a0 e0 00 01 00 00 00 00 00 cd 01 00 00 00 00 00 00 ................ 04b0 08 9f 04 00 00 00 00 00 11 91 17 3f 00 00 00 00 ...........?.... 04c0 af 5d d7 06 00 00 00 00 9d 45 eb 02 00 00 00 00 .].......E...... 04d0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04f0 f0 dd 47 39 01 e8 ff ff 70 75 f5 38 01 e8 ff ff ..G9....pu.8.... 0500 31 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 1............... 0510 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0530 00 00 00 00 00 00 00 00 32 00 00 00 00 00 00 00 ........2....... 0540 45 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 E............... 0550 55 00 00 00 00 00 00 00 17 00 00 00 00 00 00 00 U............... 0560 c2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0570 2d 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 -............... 0580 00 5b 00 00 00 00 00 00 10 25 00 00 00 00 00 00 .[.......%...... 0590 00 40 80 10 80 f5 ff ff 36 d5 24 95 21 11 0c 00 .@......6.$.!... 05a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05c0 00 00 00 00 00 00 00 00 08 6c 30 79 01 e0 ff ff .........l0y.... 05d0 c8 08 16 88 02 f8 ff ff b0 68 78 72 01 e0 ff ff .........hxr.... 05e0 b0 68 78 72 01 e0 ff ff 05 00 00 00 00 00 00 00 .hxr............ 05f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0600 00 00 00 00 00 00 00 00 00 98 7c 2d 01 c0 ff ff ..........|-.... 0610 00 98 7c 2d 01 c0 ff ff e0 06 00 00 00 00 00 00 ..|-............ 0620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0650 00 00 00 00 00 00 00 00 32 01 00 00 00 00 00 00 ........2....... 0660 00 00 00 00 00 00 00 00 70 af a9 28 01 c0 ff ff ........p..(.... 0670 00 00 00 00 00 00 00 00 1e 1c 62 00 06 00 00 00 ..........b..... 0680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 06a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 06b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 06c0 00 00 00 00 00 00 00 00 4a 00 00 00 00 00 00 00 ........J....... 06d0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 06e0 b4 c0 94 08 00 00 00 00 b4 c0 94 08 00 00 00 00 ................ 06f0 00 00 00 00 00 00 00 00 ff 9e 0f 00 03 01 00 00 ................ 0700 00 00 00 00 ff fc 00 00 3f ff 00 00 00 00 00 00 ........?....... 0710 77 00 0a 22 47 73 65 6d 09 1f 42 94 5a e3 08 f9 w.."Gsem..B.Z... 0720 d0 7f 08 40 01 f9 ff ff 00 55 08 40 01 f9 ff ff . .@.....U.@.... 0730 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0740 00 5b 83 7a 01 e0 ff ff a0 32 67 72 01 e0 ff ff .[.z.....2gr.... 0750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 07a0 00 00 00 00 00 00 00 00 00 7f fc 00 00 3f fe 00 ......... ...?.. 07b0 0a 00 35 02 56 69 53 68 7f fc 00 00 3f fe 00 00 ..5.ViSh ...?... 07c0 00 00 00 00 00 00 00 00 a8 fb 67 72 01 e0 ff ff ..........gr.... 07d0 c8 2c 67 72 01 e0 ff ff 00 00 00 00 00 00 00 00 .,gr............ 07e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 07f0 00 00 00 00 00 00 00 00 74 04 00 00 00 00 00 00 ........t....... VmmWinProcess_OffsetLocator64: EPROCESS smss.exe BELOW: 0000 03 00 b2 00 00 00 00 00 48 66 30 79 01 e0 ff ff ........Hf0y.... 0010 48 66 30 79 01 e0 ff ff 58 66 30 79 01 e0 ff ff Hf0y....Xf0y.... 0020 58 66 30 79 01 e0 ff ff 00 00 80 0b 01 00 00 00 Xf0y............ 0030 78 2b 38 79 01 e0 ff ff f8 09 18 81 01 e0 ff ff x+8y............ 0040 00 00 00 00 00 00 00 00 01 00 14 00 00 00 00 00 ................ 0050 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00f0 30 67 30 79 01 e0 ff ff 30 67 30 79 01 e0 ff ff 0g0y....0g0y.... 0100 00 00 00 00 00 00 00 00 14 00 14 00 00 00 00 00 ................ 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01b0 80 00 00 00 0b 24 00 00 0f 00 00 00 00 00 00 00 .....$.......... 01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0230 00 00 00 00 01 00 00 00 78 76 78 7a 01 e0 ff ff ........xvxz.... 0240 38 77 67 72 01 e0 ff ff 4a ab 24 0e 00 00 00 00 8wgr....J.$..... 0250 bb 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0260 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................ 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0280 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 02a0 01 00 06 00 00 00 00 00 e8 68 30 79 01 e0 ff ff .........h0y.... 02b0 e8 68 30 79 01 e0 ff ff 00 00 00 00 00 00 00 00 .h0y............ 02c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 02d0 07 80 bf 90 55 ea d6 01 00 00 00 00 00 00 00 00 ....U........... 02e0 b8 02 00 00 00 00 00 00 28 77 78 7a 01 e0 ff ff ........(wxz.... 02f0 e8 77 67 72 01 e0 ff ff 00 d4 0c 02 41 2c 4c 14 .wgr........A,L. 0300 30 0a 00 00 00 00 00 00 c8 30 00 00 00 00 00 00 0........0...... 0310 10 1c 00 00 00 00 00 00 38 da 00 00 00 00 00 00 ........8....... 0320 00 c0 a0 01 00 00 00 00 00 e0 4d 00 00 00 00 00 ..........M..... 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0340 00 00 00 00 00 00 00 00 7f 6a 6f 2e 01 c0 ff ff ........ jo..... 0350 ec b1 10 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0380 00 00 00 00 00 00 00 00 4f 00 00 00 00 00 00 00 ........O....... 0390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03a0 00 00 00 00 00 00 00 00 a0 aa 76 2e 01 c0 ff ff ..........v..... 03b0 00 00 ec 31 f6 7f 00 00 c7 25 57 1e 00 00 00 00 ...1. ...%W..... 03c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03e0 00 00 00 00 00 00 00 00 00 60 ab 31 f6 7f 00 00 ..........1. .. 03f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0400 00 08 0f 88 02 f8 ff ff 40 10 77 2e 01 c0 ff ff ........@.w..... 0410 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0420 70 c2 a0 28 01 c0 ff ff 71 11 b1 78 01 e0 ff ff p..(....q..x.... 0430 00 00 00 00 00 00 00 00 73 6d 73 73 2e 65 78 65 ........smss.exe 0440 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 ................ 0450 e0 3b 92 78 01 e0 ff ff 00 00 00 00 00 00 00 00 .;.x............ 0460 00 00 00 00 00 00 00 00 00 00 ff ff ff 7f 00 00 ............. .. 0470 08 2f 38 79 01 e0 ff ff 88 0d 18 81 01 e0 ff ff ./8y............ 0480 02 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04b0 06 01 00 00 00 00 00 00 00 20 00 00 00 00 00 00 ......... ...... 04c0 00 00 00 00 00 00 00 00 a0 3e 00 00 00 00 00 00 .........>...... 04d0 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 I............... 04e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 04f0 f0 ed 91 35 01 e8 ff ff f0 cd 6b 38 01 e8 ff ff ...5......k8.... 0500 7c 00 00 00 00 00 00 00 35 00 00 00 00 00 00 00 |.......5....... 0510 10 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 ................ 0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0530 00 00 00 00 00 00 00 00 32 00 00 00 00 00 00 00 ........2....... 0540 0c 01 00 00 00 00 00 00 3c 00 00 00 00 00 00 00 ........<....... 0550 1f 01 00 00 00 00 00 00 4f 00 00 00 00 00 00 00 ........O....... 0560 59 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Y............... 0570 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................ 0580 10 01 00 00 00 00 00 00 c9 00 00 00 00 00 00 00 ................ 0590 00 40 80 10 80 f5 ff ff a2 a6 9c 94 61 02 00 00 .@..........a... 05a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 05c0 00 00 00 00 00 00 00 00 08 7a 78 7a 01 e0 ff ff .........zxz.... 05d0 c8 7a 67 72 01 e0 ff ff 80 41 b5 78 01 e0 ff ff .zgr.....A.x.... 05e0 80 41 b5 78 01 e0 ff ff 0e 00 00 00 00 00 00 00 .A.x............ 05f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0600 00 00 00 00 00 00 00 00 48 6c 30 79 01 e0 ff ff ........Hl0y.... 0610 48 6c 30 79 01 e0 ff ff 00 00 00 00 00 00 00 00 Hl0y............ 0620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0650 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ................ 0660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0670 00 00 00 00 00 00 00 00 3e 0c 61 00 00 00 00 00 ........>.a..... 0680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 06a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 06b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 06c0 00 00 00 00 00 00 00 00 60 00 00 00 00 00 00 00 ............... 06d0 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ................ 06e0 0b 23 97 08 00 00 00 00 0b 23 97 08 00 00 00 00 .#.......#...... 06f0 01 00 00 00 01 00 00 00 20 01 00 00 03 01 00 00 ........ ....... 0700 c0 c6 23 34 01 e8 ff ff 00 00 00 00 00 00 00 00 ..#4............ 0710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0730 77 00 29 02 44 65 76 69 00 00 00 00 00 00 00 00 w.).Devi........ 0740 c0 51 a1 28 01 c0 ff ff 10 00 10 00 00 00 00 00 .Q.(............ 0750 50 b7 55 2b 01 c0 ff ff 00 00 00 00 00 00 00 00 P.U+............ 0760 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0770 00 00 00 00 00 00 00 00 1a 00 02 12 00 00 00 00 ................ 0780 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0790 03 00 d0 01 00 00 00 00 e0 60 2e 79 01 e0 ff ff .........`.y.... 07a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 07b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 07c0 40 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 @............... 07d0 20 6f 30 79 01 e0 ff ff ff 8f 00 00 01 00 00 00 o0y............ 07e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 07f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ VmmWinProcess_OffsetLocator_Print: OK: FALSE PID: 2e0 PPID: 3d0 STAT: 004 DTB: 028 DTBU: 000 NAME: 438 PEB: 3e8 FLnk: 2e8 BLnk: 2f0 oMax: 000 SeAu: 450 VadR: 000 ObjT: 408 WoW: 418 VmmWin: Unable to locate EPROCESS offsets. VmmProc: Unable to auto-identify operating system for PROC file system mount. Specify PageDirectoryBase (DTB/CR3) in -cr3 option if value if known. MOUNT: INFO: PROC file system not mounted.

ufrisk commented 3 years ago

Thanks. It seems like I've made some assumptions in the initial fuzzing of _EPROCESS offsets that I require that doesn't hold up in your case. There is no immediate super-easy way for me to just add support for this.

I'll however look into adding a fallback to the debug symbols from microsoft in the cases where this _EPROCESS fuzzing fails.

What kind of system is this btw? CPU vendor? CPU-Cores/Sockets? VM/NoVm? Does the error persist if a new dump is made after a reboot?

ufrisk commented 3 years ago

Can you please check the new release if it's working better for you? Re-download the updated binaries.

Unfortunately I had to introduce a startup-dependency on the microsoft symbol server and having an internet connection when dealing with these memory images my fuzz algorithm is unable to parse; but it's better than failing...

Please let me know if it now works.

HSIS007 commented 3 years ago

Here is system details for you :

OS Name: Microsoft Windows Server 2012 R2 Standard OS Version: 6.3.9600 N/A Build 9600 OS Manufacturer: Microsoft Corporation OS Configuration: Member Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID:
Original Install Date: 4/3/2018, 6:37:42 PM System Boot Time: 1/14/2021, 1:13:33 AM System Manufacturer: Dell Inc. System Model: PowerEdge R620 System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: Intel64 Family 6 Model 45 Stepping 7 GenuineIntel ~2000 Mhz [02]: Intel64 Family 6 Model 45 Stepping 7 GenuineIntel ~2000 Mhz BIOS Version: Dell Inc. 2.6.1, 2/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume2 System Locale: English Input Locale: English Time Zone:
Total Physical Memory: 65,473 MB Available Physical Memory: 60,454 MB Virtual Memory: Max Size: 75,201 MB Virtual Memory: Available: 69,474 MB Virtual Memory: In Use: 5,727 MB

HSIS007 commented 3 years ago

Hey, the updated binary worked for me. Here is the output from the shell:

D:\Memory Scan\MemProcFS_files_and_binaries_v3.7-20210119>MemProcFS.exe -device Server.dmp VmmWinProcess_OffsetLocator_Print: OK: FALSE PID: 2e0 PPID: 3d0 STAT: 004 DTB: 028 DTBU: 000 NAME: 438 PEB: 3e8 FLnk: 2e8 BLnk: 2f0 oMax: 000 SeAu: 450 VadR: 000 ObjT: 408 WoW: 418 VmmWin: Unable to fuzz EPROCESS offsets - trying debug symbols. Initialized 64-bit Windows 6.3.9600 PluginManager: Python initialization failed. Python 3.6 or later not found.

=============== MemProcFS - THE MEMORY PROCESS FILE SYSTEM ===============

Author: Ulf Frisk - pcileech@frizk.net - https://frizk.net
Info: https://github.com/ufrisk/MemProcFS
VmmDll Version: 3.7.2
Mount Point: M:\
Operating System: Windows 6.3.9600 (X64)

ufrisk commented 3 years ago

Thanks, that probably explains it. I haven't really been able to test on dual-socket CPU systems. I suspect that's the reason why some assumptions I've made about the EPROCESS wasn't working.

Anyhow; I'm glad to see it's working for you and the issue is resolved.

Best wishes with everything and please let me know if you should run into something again.

HSIS007 commented 3 years ago

Great work BTW, thank you so much.

ufrisk / MemProcFS

Not working for Windows Server 2012 #57

Operating System: Windows 6.3.9600 (X64)