MemprocFS network error about memprocfs HOT 13 CLOSED

1. are you seeing any network connections at all, or did they fail to analyze completely?
2. what exact windows 10 version are you trying to analyze?
3. are you trying to analyze a memory dump file or live memory acquired from PCILeech FPGA or Hyper-V?
4. if memory dump file, how was the memory acquired? program running on the PC such as DumpIt or VM snapshot?
5. what do you mean with "the exit"; that the text shows up in the console window or that the program crashes?

I have a suspicion that it may be due to a slightly corrupt memory dump; DumpIt dumps take a few seconds to grab and things may change around in memory during that time leading to potential errors like this; But I really want to double check on things to see to that it's not buggy code of mine...

from memprocfs.

thank you
1- it fail to analyze the network connection
2- it windows 10 1909
3- it not a live memory it was dump memory
4- it was used to capture the memory using FTK imager , and the machine was VM
5- when i execute the command it mount the image once i click on the folder of net to check the connection its become unmounted .

how ever it test it with different memory image was been taken by winpemem and it work fine with no issue or error , it could be due to FTK imager something happen

from memprocfs.

MemProcFS should work fine with FTK imager memory dumps. Sometimes there may be issues with parsing the dumps if things have changed in memory during capture.

MemProcFS should however not unmount the image when looking at network connections even though there may be issues though. This is clearly an issue.

Are you able to share the FTK imager dump so I may look into this and fix it; or does it contain sensitive information? If it's possible to share can you please zip it and put it on google drive or something and send me an email to [email protected]

I fully understand if you're unable to share the dump; but that would make things very hard for me to fix; whilst having the dump would allow me to relatively easy to find the issue.

from memprocfs.

Would it be possible to take a peek at that memory dump you had issues with. I'd rather fix this issue and to do that I unfortunately need to be able to reproduce it If it's not possible can you please let me know so I atleast know it's not possible.

Thank You.

from memprocfs.

from memprocfs.

thanks, it's unfortunate but fully understandable. at least I know then.

yes, having a memory image in which I can reproduce the crash/unmount behavior would be equally good. if I can download this memory image from somewhere it would be super nice :)

from memprocfs.

from memprocfs.

Thanks. It's a good challenge. The issue happened one time for me on latest 3.5 version; but since then I haven't been able to replicate it. Except for this one time I haven't been able to induce a crash.

I found a few other issues (mainly some reads of compressed memory failing) with these challenge images though so it's been good; The memory images are otherwise quite horrible; it's a low memory system with lots of compressed memory and page file (which I also support); but it seems like acquisition was on the system and not through instantaneous snapshot and that it took some time so there is plenty of drift in the compressed memory manager which leads to lots of corrupted memory even tho I managed to lower the amount of corruption to some bug fixes :)

I'm assuming this is why your network analysis fails; but it's super strange it's not failing for me. My one and only crash was also not related to the network parsing. I'll continue testing; and with a little bit of luck it will work better in my new release next week; which btw is quite good at detecting the malware in that challenge :)

It would be good to know if the issue persists for you in my next release; I'm aiming for Monday or Tuesday; but we'll see...

from memprocfs.

from memprocfs.

Thanks for the dump. I've located the issue which was due to some over stringent validation. I'll make the new release available early next week (have a bunch of other features as well).

Thank You for the help on this one :)

from memprocfs.

Can you please try the new release. With a bit of luck the problem may have gone away. I was unable to reliably replicate it with the challenge memory dumps (which was working) so I'm not totally sure.

from memprocfs.

from memprocfs.

I'm closing issue since I'm assuming it was resolved since i haven't head back. If the issue is still around please let me know.

from memprocfs.