drakvuf-sandbox
drakvuf-sandbox copied to clipboard
CERT-Polska
Injector timed out for Windows/System32/win32k.sys
Hello,
I installed version v0.18.2 on Ubuntu 20.04, and installed windows 10 guest system, but when I tried to do draksetup postinstall, I get an error as you can see below: If anyone has any ideas, how this could be solved?
Thanks in advanced!
sudo draksetup postinstall [2022-11-18 11:33:34,116][INFO] Cleaning up leftovers(if any) [2022-11-18 11:33:34,139][INFO] Deleted /var/lib/drakrun/profiles/kernel.json [2022-11-18 11:33:34,199][INFO] Ejecting installation CDs [2022-11-18 11:33:36,266][INFO] Determined PDB GUID: 68a17faf3012b7846079aeecdbe0a5831 [2022-11-18 11:33:36,268][INFO] Determined kernel filename: ntkrnlmp.pdb [2022-11-18 11:33:36,268][INFO] Fetching PDB file... [2022-11-18 11:33:36,316][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443 [2022-11-18 11:33:36,776][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/ntkrnlmp.pdb/68a17faf3012b7846079aeecdbe0a5831/ntkrnlmp.pdb HTTP/1.1" 302 0 [2022-11-18 11:33:36,780][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard43.blob.core.windows.net:443 [2022-11-18 11:33:37,506][DEBUG] https://vsblobprodscussu5shard43.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/7E1DEBB608928EEBD926937174018C7321AB25E9D6C8E408E01AD7F550E96C0500.blob?sv=2019-07-07&sr=b&si=1&sig=ijFVL7U%2FaC8xOwVzwcvhiQZt1HOztfRuAhOw5i5jh80%3D&spr=https&se=2022-11-19T11%3A29%3A33Z&rscl=x-e2eid-1dcbe17c-8ac943fe-aa8b04f2-2adb2eac-session-41c12600-20604653-a5970b0b-4d2e385e HTTP/1.1" 200 8547328 100%|████████████████████████████████████| 8.55M/8.55M [00:02<00:00, 3.36MiB/s] [2022-11-18 11:33:40,189][INFO] Generating profile out of PDB file... [2022-11-18 11:33:59,987][INFO] Saving profile... [2022-11-18 11:34:00,050][INFO] Deleted /var/lib/drakrun/profiles/ntkrnlmp.pdb [2022-11-18 11:34:10,050][INFO] Saving runtime profile... [2022-11-18 11:34:10,058][INFO] Saving VM snapshot... [2022-11-18 11:34:10,058][INFO] Saving VM vm-0 Saving to /var/lib/drakrun/volumes/snapshot.sav new xl format (info 0x3/0x0/2034) xc: info: Saving domain 12, type x86 HVM xc: Frames: 1114240/1114240 100% xc: End of stream: 0/0 0% [2022-11-18 11:34:55,195][INFO] Snapshot was saved succesfully. [2022-11-18 11:34:55,198][INFO] Snapshotting persistent memory... [2022-11-18 11:34:55,220][DEBUG] Starting new HTTPS connection (1): drakvuf.cert.pl:443 [2022-11-18 11:34:55,957][DEBUG] https://drakvuf.cert.pl:443 "POST /usage/draksetup HTTP/1.1" 200 2 [2022-11-18 11:34:57,277][INFO] Generated VM configuration for vm-1 [2022-11-18 11:34:57,683][INFO] Created bridge drak1 [2022-11-18 11:34:58,111][INFO] Bridge drak1 is up Formatting '/var/lib/drakrun/volumes/vm-1.img', fmt=qcow2 size=107374182400 backing_file=/var/lib/drakrun/volumes/vm-0.img backing_fmt=qcow2 cluster_size=65536 lazy_refcounts=off refcount_bits=16 [2022-11-18 11:34:59,351][INFO] Restoring VM vm-1 Loading new save file /var/lib/drakrun/volumes/snapshot.sav (new xl fmt info 0x3/0x0/2034) Savefile contains xl domain config in JSON format Parsing config from /etc/drakrun/configs/vm-1.cfg xc: info: Found x86 HVM domain from Xen 4.16 xc: info: Restoring domain xc: info: Restore successful xc: info: XenStore: mfn 0xfeffc, dom 0, evt 1 xc: info: Console: mfn 0xfefff, dom 0, evt 2 [2022-11-18 11:35:53,485][INFO] Fetching rekall profile for Windows/System32/ntdll.dll [2022-11-18 11:35:58,308][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443 [2022-11-18 11:35:58,659][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/ntdll.pdb/1f42d4f4a6654217576038426c4470951/ntdll.pdb HTTP/1.1" 302 0 [2022-11-18 11:35:58,663][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard24.blob.core.windows.net:443 [2022-11-18 11:35:59,330][DEBUG] https://vsblobprodscussu5shard24.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/1F5D04BB1CEACA0C954D686F1EFFE7FF6AE1E62743E9C4FEC1262368E9C7385000.blob?sv=2019-07-07&sr=b&si=1&sig=aoGZomOpD4MM9c%2Fss9c3hA8MbHbiyEDTV%2FV2lrTborY%3D&spr=https&se=2022-11-19T11%3A07%3A22Z&rscl=x-e2eid-f91d8cd4-87d5428e-a2449423-2af0a366-session-36ce9fc7-e1cb4ffa-a31eaf17-fcc24d30 HTTP/1.1" 200 1625088 100%|████████████████████████████████████| 1.63M/1.63M [00:00<00:00, 1.94MiB/s] [2022-11-18 11:36:00,235][DEBUG] Parsing PDB into JSON profile... [2022-11-18 11:36:05,516][INFO] Deleted /var/lib/drakrun/profiles/amd64_ntdll_profile [2022-11-18 11:36:05,517][INFO] Deleted /var/lib/drakrun/profiles/ntdll.pdb [2022-11-18 11:36:05,519][INFO] Fetching rekall profile for Windows/SysWOW64/ntdll.dll [2022-11-18 11:36:08,883][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443 [2022-11-18 11:36:09,169][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/wntdll.pdb/f9a68320e338e9bbe5189f90856b444a1/wntdll.pdb HTTP/1.1" 302 0 [2022-11-18 11:36:09,172][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard90.blob.core.windows.net:443 [2022-11-18 11:36:09,846][DEBUG] https://vsblobprodscussu5shard90.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/378CECC3E3A9DFA350548FCB0A7072FB16E689554744CF93A3F6BDF62DDC495600.blob?sv=2019-07-07&sr=b&si=1&sig=oFOu%2F6PJWHVR0DV7Tymn3lifZtJg%2FYM3WHyCShwE9H4%3D&spr=https&se=2022-11-19T11%3A13%3A00Z&rscl=x-e2eid-9d64997b-d51a4e5d-b14671fe-6470384e-session-57f7ff7d-1b274973-98a55a23-61426d02 HTTP/1.1" 200 1641472 100%|████████████████████████████████████| 1.64M/1.64M [00:00<00:00, 1.80MiB/s] [2022-11-18 11:36:10,765][DEBUG] Parsing PDB into JSON profile... [2022-11-18 11:36:15,701][INFO] Deleted /var/lib/drakrun/profiles/wow64_ntdll_profile [2022-11-18 11:36:15,701][INFO] Deleted /var/lib/drakrun/profiles/wntdll.pdb [2022-11-18 11:36:15,703][INFO] Fetching rekall profile for Windows/System32/win32k.sys [2022-11-18 11:37:16,038][INFO] Deleted /var/lib/drakrun/profiles/amd64_win32k_profile Traceback (most recent call last): File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 586, in create_rekall_profile cmd = injector.read_file(guest_dll_path, local_dll_path) File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/injector.py", line 66, in read_file return subprocess.run(injector_cmd, timeout=timeout, capture_output=True) File "/usr/lib/python3.8/subprocess.py", line 495, in run stdout, stderr = process.communicate(input, timeout=timeout) File "/usr/lib/python3.8/subprocess.py", line 1028, in communicate stdout, stderr = self._communicate(input, endtime, timeout) File "/usr/lib/python3.8/subprocess.py", line 1869, in _communicate self._check_timeout(endtime, orig_timeout, stdout, stderr) File "/usr/lib/python3.8/subprocess.py", line 1072, in _check_timeout raise TimeoutExpired( subprocess.TimeoutExpired: Command '['injector', '-o', 'json', '-d', 'vm-1', '-r', '/var/lib/drakrun/profiles/kernel.json', '-i', '2316', '-k', '0x1aa000', '-m', 'readfile', '-e', 'C:\Windows\System32\win32k.sys', '-B', '/var/lib/drakrun/profiles/amd64_win32k_profile']' timed out after 60 seconds
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/bin/draksetup", line 5, in
