KMD: Failed. Read failed @ address: PCILEECH: Failed to load kernel module

[tibi-atya]

could this just be another Thunderbolt issue?

PS C:\DMA> ./pcileech display -min 0x1000 -v

Memory Display: Contents for address: 0x0000000000001000 0000 e9 4d 06 00 01 00 00 00 01 00 00 00 3f 00 18 10 .M..........?... 0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0020 00 00 00 00 00 00 00 00 00 00 00 00 00 9b 20 00 .............. . 0030 00 00 00 00 00 00 00 00 ff ff 00 00 00 93 cf 00 ................ 0040 00 00 00 00 00 00 00 00 ff ff 00 00 00 9b cf 00 ................ 0050 00 00 00 00 00 00 00 00 00 d0 95 7e 00 00 00 00 ...........~.... 0060 7c 16 00 00 30 00 da 16 00 00 10 00 00 00 00 00 |...0........... 0070 50 95 7f 28 06 f8 ff ff 00 80 00 40 80 f7 ff ff P. (.......@.... 0080 06 01 07 00 06 01 07 00 01 09 00 00 00 00 00 00 ................ 0090 33 00 05 80 00 00 00 00 00 00 00 00 00 00 00 00 3............... 00a0 00 d0 1a 00 00 00 00 00 78 06 37 00 00 00 00 00 ........x.7..... 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00e0 00 00 00 00 00 00 57 00 b0 af 1f 62 81 84 ff ff ......W....b.... 00f0 00 00 00 00 00 00 ff 0f 00 80 1f 62 81 84 ff ff ...........b.... PS C:\DMA> PS C:\DMA> .\pcileech.exe kmdload -kmd WIN10_X64_3 -memmap .\x1carbon_MemMap.txt

KMD: Code inserted into the kernel - Waiting to receive execution. KMD: Execution received - continuing ... KMD: Successfully loaded at address: 0x7e957000 PS C:\DMA> PS C:\DMA> ./pcileech.exe kmdload -kmd win10x64_ntfs_20150710 -cr3 0x1aa000

KMD: Failed. Error loading signatures. PCILEECH: Failed to load kernel module.

Once I run this the PC locks up and requires a hard reboot: PS C:\DMA> ./pcileech.exe mount -kmd 0x7e957000

KMD: Failed. Read failed @ address: 0x7e957000 PCILEECH: Failed to load kernel module. PS C:\DMA>

MemMap: 0x1000 0x58000 0x59000 0x9D000 0x100000 0x40000000 0x40400000 0x74FF2000 0x74FF4000 0x7E963000 0x7FFFF000 0x80000000 0x80200000 0x85F80000 0x100000000 0x472800000

Other Tests: Test 2: does nothing and does not lock up the host PS C:\DMA> .\pcileech.exe kmdload -kmd WIN10_X64_2 -memmap .\x1carbon_MemMap.txt

KMD: Failed vmm.dll!ProcessGetModuleBase (kdcom.dll/ntoskrnl.exe) PCILEECH: Failed to load kernel module.

Test 3: Hangs like the below and locks up the host PS C:\DMA> .\pcileech.exe kmdload -kmd WIN10_X64 -memmap .\x1carbon_MemMap.txt

KMD: Code inserted into the kernel - Waiting to receive execution.

[tibi-atya]

Dump is fine:

PCILEECH: Failed to load kernel module. PS C:\DMA> .\pcileech.exe dump

Current Action: Dumping Memory Access Mode: Normal Progress: 4096 / 4096 (100%) Speed: 273 MB/s Address: 0x0000000100000000 Pages read: 0 / 1048576 (0%) Pages failed: 1048576 (100%) Memory Dump: Successful.

[ufrisk]

1. Dump is not fine. It says 100% failed.
2. DMA works when you do the display and also when you do kmdload -kmd WIN10_X64_3 with the memory map.
3. DMA then stops working when you do kmdload -kmd win10x64_ntfs_20150710 -cr3 0x1aa000 without the memory map. Why run this command at all since the previous kmdload worked fine?
4. When you do the mount DMA have stopped working due to lack of memory map. Also it's recommended to use memory map when doing the mount as well.
5. WIN10_X64 and WIN10_X64_2 are older versions and might now work always unfortunately. WIN10_X64_3 almost always work though. If memory map is used.