Why is the name of syscall unknown? about nitro HOT 5 CLOSED

The syscall name is not not found in the table, so there is a KeyError:

you need to look at the JSON profile, and look at the code and see what is wrong there

from nitro.

@Wenzel Thank you for replying so quickly!

you need to look at the JSON profile, and look at the code and see what is wrong there

So it’s still a problem of profile?
I’m now using an older version of Windows7 with GUID 2E37F962D699492CAAF3F9F4E9770B1D2.
And I try 2 profiles as follow.

Rekall profile repository

There is still an online repository of rekall profiles:https://github.com/google/rekall-profiles/tree/gh-pages/v1.0/nt/GUID So I simply downloaded it all and chose the profile matched my virtual machine.

Rekall fetch_pdb and parse_pdb

Rekall offers plugins to generate profile manually, which you must have already used before. So I fetched the ntkrlmp with GUID 2E37F962D699492CAAF3F9F4E9770B1D2, and parsed it to generate my profile.

Compare

The two profiles are not the same. But both of them result in the same “Unknown” syscall.

——
So it is exactly the profile result in this problem?
If it’s true, is there any other way to find a correct profile?

from nitro.

I dont know what the problem is,
you need to look at the code and debug it when it is loading the profile to figure out what's wrong.

from nitro.

@Wenzel I understand, I’ll try to debug it.
Wish it’s the last time to bother you.
Thank you for suggestion!

from nitro.

Hi @Wenzel , I've figured it out.
It's just because the net connection with Microsoft failed.

I found this problem when manually called the ssdt plugin in rekall interactive shell which printed some useful information. I don't know why rekall still need to fetch pdb file from Microsoft's server even I already set a local profile.

Although sometimes it still ends with the error "process not found", but mostly nitro works well.

Thank you for the help!

(And also sorry for such a meaningless problem.)

from nitro.