Comments (7)
tklengyel
commented on August 15, 2024
Yes, I already started looking into it. Basic tracing should work normally but more complex plugins may need adjusting (filetracer, injector..). IMHO as long as win7 popularity is still high enough it should be Ok as I doubt many malware would deliberatily choose to shutdown if ran in win7.
from drakvuf.
tklengyel
commented on August 15, 2024
So as I assumed, it works pretty well on Windows 10, no modification needed in DRAKVUF. LibVMI needs to be updated (see libvmi/libvmi#314), after that:
root@t1:/share/work/drakvuf# xl list
Name ID Mem VCPUs State Time(s)
Domain-0 0 4096 4 r----- 474.1
windows10 3 4048 4 -b---- 10.9
root@t1:/share/work/drakvuf# ./src/drakvuf -d 3 -r /share/rekall-profiles/windows10.json
DRAKVUF v0.2
[SYSCALL] vCPU:0 CR3:0x29d0b000,svchost.exe ntoskrnl.exe!NtSetTimer2
[SYSCALL] vCPU:0 CR3:0x29d0b000,svchost.exe ntoskrnl.exe!NtAssociateWaitCompletionPacket
[SYSCALL] vCPU:0 CR3:0x29d0b000,svchost.exe ntoskrnl.exe!NtWriteFile
[SYSCALL] vCPU:0 CR3:0x29d0b000,svchost.exe ntoskrnl.exe!NtWaitForWorkViaWorkerFactory
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtCreateEvent
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtFsControlFile
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtClose
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtFsControlFile
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtWaitForSingleObject
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtSetEvent
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtSetEvent
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtFsControlFile
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtSetEvent
[SYSCALL] vCPU:1 CR3:0x3c77f000,SearchIndexer. ntoskrnl.exe!NtWaitForMultipleObjects
[SYSCALL] vCPU:0 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtSetTimer2
[SYSCALL] vCPU:0 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtAssociateWaitCompletionPacket
[SYSCALL] vCPU:0 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtSetEvent
[SYSCALL] vCPU:0 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtWaitForWorkViaWorkerFactory
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtTraceEvent
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtClearEvent
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtClearEvent
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtTraceEvent
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
[SYSCALL] vCPU:1 CR3:0x287d5000,svchost.exe ntoskrnl.exe!NtQuerySystemInformation
from drakvuf.
aoshiken
commented on August 15, 2024
@tklengyel , I don't have a Windows10 VM for testing but I'm not totally sure if handle_table_get_entry() located at src/libdrakvuf/win-handles.c will work as expected...
Anyone?
from drakvuf.
tklengyel
commented on August 15, 2024
@aoshiken Yes I wouldn't be surprised but I haven't looked at more closely beside checking whether the DRAKVUF trapping works as expected.
from drakvuf.
willow19
commented on August 15, 2024
I ran win-guid name on a Windows 10 domain. The output was:
Windows Kernel found @ 0x1390000
Version: 64-bit Windows 10
PE GUID: 559f3c1a852000
PDB GUID: a76b29c0ee964781af0424e3ac84c59e1
Kernel filename: ntoskrnl.pdb
Single-processor without PAE
I ran a memory image of the same VM on rekall on VirtualBox and it fetched a different GUID/PDB combination. Moreover the process-list doesn't work and gives a "Failed to find procname" message. What could be wrong?
from drakvuf.
tklengyel
commented on August 15, 2024
It might be the wrong PDB info that was found. You can verify with Rekall by checking the actual kernel file on disk by running rekall peinfo on it.
from drakvuf.
tklengyel
commented on August 15, 2024
We are now supporting Windows 10 64-bit.
from drakvuf.
Related Issues (20)
- Request - add support for MSI files
- What IDE should be used for drakvuf? HOT 1
- Hooks on nested functions are broken HOT 2
- mount /dev/mapper/vg0-win7 to /mnt error HOT 2
- vmi-win-guid name out print is NULL
- Virtualization problem
- interception specify process
- Format code with clang-format and clang-tidy HOT 1
- apimon doesn't work after 9/1's commit HOT 3
- Plugin etwmon startup failed! HOT 2
- Unable to control mouse in Win7 when drakvuf is running HOT 1
- [LIBHOOK] makes the xen virtual machine hang HOT 8
- How to automated batch analysis HOT 1
- trace powershell behavior with apimon
- drakvuf meson and ninja-injector linking build errors HOT 4
- How to exit a running drakvuf HOT 1
- How to obtain the value of a handle
- Injector sometimes hangs while injecting commands into explorer HOT 3
- avx instruction not support HOT 3
- Most of the Nargs=0 in the output of plugin-syscalls HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drakvuf.