drakvuf-sandbox
drakvuf-sandbox copied to clipboard
Published
20 hours ago •
CERT-Polska
CERT-Polska
`draksetup postinstall` doesn't work with 32-bit Windows
Describe the bug
draksetup tries to build a profile including wow64 binaries that doesn't exist on 32-bit installation
[2023-09-12 14:15:35,710][INFO] Cleaning up leftovers(if any)
[2023-09-12 14:15:35,721][INFO] Ejecting installation CDs
[2023-09-12 14:15:35,873][INFO] Determined PDB GUID: 684da42a30cc450f81c535b4d18944b12
[2023-09-12 14:15:35,873][INFO] Determined kernel filename: ntkrpamp.pdb
[2023-09-12 14:15:35,873][INFO] Fetching PDB file...
[2023-09-12 14:15:35,897][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443
[2023-09-12 14:15:36,277][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/ntkrpamp.pdb/684da42a30cc450f81c535b4d18944b12/ntkrpamp.pdb HTTP/1.1" 302 0
[2023-09-12 14:15:36,278][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard51.blob.core.windows.net:443
[2023-09-12 14:15:37,025][DEBUG] https://vsblobprodscussu5shard51.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/6EACF8331C3D96544FB890CEDE4DB714C5EC3AC8A085F404301A577BCBE0B8F900.blob?sv=2019-07-07&sr=b&si=1&sig=%2ForJRLuEFft%2FVbmGtixIYuz03CdZV39P6129n2%2Fipp8%3D&spr=https&se=2023-09-13T12%3A25%3A55Z&rscl=x-e2eid-f755d487-28a34779-9b2ad49e-5db40770-session-aeda2d85-966c4d57-89f8610c-48e31cf0 HTTP/1.1" 200 6933504
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 6.93M/6.93M [00:02<00:00, 2.78MiB/s]
[2023-09-12 14:15:39,568][INFO] Generating profile out of PDB file...
[2023-09-12 14:15:53,135][INFO] Saving profile...
[2023-09-12 14:15:53,136][INFO] Deleted /var/lib/drakrun/profiles/ntkrpamp.pdb
[2023-09-12 14:15:53,896][INFO] Saving runtime profile...
[2023-09-12 14:15:53,897][INFO] Saving VM snapshot...
[2023-09-12 14:15:53,897][INFO] Saving VM vm-0
Saving to /var/lib/drakrun/volumes/snapshot.sav new xl format (info 0x3/0x0/2034)
xc: info: Saving domain 33, type x86 HVM
xc: Frames: 1044480/1044480 100%
xc: End of stream: 0/0 0%
[2023-09-12 14:16:16,874][INFO] Snapshot was saved succesfully.
[2023-09-12 14:16:16,874][INFO] Snapshotting persistent memory...
[2023-09-12 14:16:16,876][DEBUG] Starting new HTTPS connection (1): drakvuf.cert.pl:443
[2023-09-12 14:16:16,976][DEBUG] https://drakvuf.cert.pl:443 "POST /usage/draksetup HTTP/1.1" 400 None
[2023-09-12 14:16:16,976][ERROR] Failed to send usage report. This is not a serious problem.
Traceback (most recent call last):
File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 548, in send_usage_report
res.raise_for_status()
File "/opt/venvs/drakrun/lib/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://drakvuf.cert.pl/usage/draksetup
[2023-09-12 14:16:17,181][INFO] Generated VM configuration for vm-1
[2023-09-12 14:16:17,246][INFO] Created bridge drak1
[2023-09-12 14:16:17,337][INFO] Bridge drak1 is up
Formatting '/var/lib/drakrun/volumes/vm-1.img', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=107374182400 backing_file=/var/lib/drakrun/volumes/vm-0.img backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
[2023-09-12 14:16:17,856][INFO] Restoring VM vm-1
Loading new save file /var/lib/drakrun/volumes/snapshot.sav (new xl fmt info 0x3/0x0/2034)
Savefile contains xl domain config in JSON format
Parsing config from /etc/drakrun/configs/vm-1.cfg
xc: info: Found x86 HVM domain from Xen 4.17
xc: info: Restoring domain
xc: info: Restore successful
xc: info: XenStore: mfn 0xfeffc, dom 0, evt 1
xc: info: Console: mfn 0xfefff, dom 0, evt 2
[2023-09-12 14:16:42,707][INFO] Fetching rekall profile for Windows/System32/ntdll.dll
[2023-09-12 14:16:49,376][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443
[2023-09-12 14:16:49,651][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/ntdll.pdb/120028fa453f4cd5a6a404ec37396a582/ntdll.pdb HTTP/1.1" 302 0
[2023-09-12 14:16:49,652][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard71.blob.core.windows.net:443
[2023-09-12 14:16:50,340][DEBUG] https://vsblobprodscussu5shard71.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/20A62A95572AABD055074178C71CE174026AD8F9C502CB8E75B424593D4DA4D700.blob?sv=2019-07-07&sr=b&si=1&sig=V9ptHig0mhtOAVEzsvDNYsduMs2LoDMHJZwi1Cerhw0%3D&spr=https&se=2023-09-13T13%3A07%3A38Z&rscl=x-e2eid-b504bcc0-09924a92-a9412f80-f6dc3ab6-session-aeda150c-966c4d57-89f8610c-48e31cf0 HTTP/1.1" 200 2124800
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2.12M/2.12M [00:00<00:00, 2.17MiB/s]
[2023-09-12 14:16:51,340][DEBUG] Parsing PDB into JSON profile...
[2023-09-12 14:16:54,535][INFO] Deleted /var/lib/drakrun/profiles/amd64_ntdll_profile
[2023-09-12 14:16:54,535][INFO] Deleted /var/lib/drakrun/profiles/ntdll.pdb
[2023-09-12 14:16:54,536][INFO] Fetching rekall profile for Windows/SysWOW64/ntdll.dll
[2023-09-12 14:17:01,409][DEBUG] stderr: DRAKVUF injector v1.1-git20230901115228+3a0905b-1 Copyright (C) 2014-2023 Tamas K Lengyel
Failed to read guest file
[2023-09-12 14:17:01,409][DEBUG] {'Plugin': 'inject', 'TimeStamp': '1694521021.395943', 'Method': 'ReadFile', 'Status': 'Error', 'ErrorCode': 6, 'Error': 'ERROR_INVALID_HANDLE'}
[2023-09-12 14:17:01,409][INFO] Deleted /var/lib/drakrun/profiles/wow64_ntdll_profile
Traceback (most recent call last):
File "/usr/bin/draksetup", line 5, in <module>
ds.main()
File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 817, in postinstall
create_missing_profiles()
File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 864, in create_missing_profiles
create_rekall_profile(injector, profile, True)
File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 597, in create_rekall_profile
raise Exception("Some error occurred in injector")
Exception: Some error occurred in injector
