Velocidex
issue using winpmem
I am trying to use the pcm (performance counter) and using the winpmem driver.
I have the following error on the event viewer: The winpmem service failed to start due to the following error: A device attached to the system is not functioning.
I am using the x64.sys file and storing it in the same directory where I run my pcm.exe
Could you kindly help?
Thanks
I have no idea what pcm.exe is and what it does? Are you able to load the driver using winpmem.exe -l ?
This is what I get when running the winpmem.exe -l command:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>winpmem.exe -l WinPmem64 Extracting driver to C:\Users\User\AppData\Local\Temp\pme7563.tmp Driver Unloaded. Loaded Driver C:\Users\User\AppData\Local\Temp\pme7563.tmp. Deleting C:\Users\User\AppData\Local\Temp\pme7563.tmp
On Mon, Nov 23, 2020 at 7:56 PM Mike Cohen [email protected] wrote:
I have no idea what pcm.exe is and what it does? Are you able to load the driver using winpmem.exe -l ?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732513238, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJX3FYWYXLWZKZ6ETO3SRMADVANCNFSM4UAFNJLA .
-- Regards, Zineb
Cool looks like it is working - can you take a memory image?
you can see the driver is installed using sc:
sc.exe query wimpmem
here is the outpu:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>sc.exe query winpmem
SERVICE_NAME: winpmem TYPE : 1 KERNEL_DRIVER STATE : 1 STOPPED WIN32_EXIT_CODE : 31 (0x1f) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
On Mon, Nov 23, 2020 at 8:24 PM Mike Cohen [email protected] wrote:
Cool looks like it is working - can you take a memory image?
you can see the driver is installed using sc:
sc.exe query wimpmem
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732522120, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJWMVK7SIHK5D7EXHCDSRMDN3ANCNFSM4UAFNJLA .
-- Regards, Zineb
So why is the state stopped? Aslo how to take a memory image please?
On Mon, Nov 23, 2020 at 8:41 PM Zineb Benameur-El Youbi [email protected] wrote:
here is the outpu:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>sc.exe query winpmem
SERVICE_NAME: winpmem TYPE : 1 KERNEL_DRIVER STATE : 1 STOPPED WIN32_EXIT_CODE : 31 (0x1f) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
On Mon, Nov 23, 2020 at 8:24 PM Mike Cohen [email protected] wrote:
Cool looks like it is working - can you take a memory image?
you can see the driver is installed using sc:
sc.exe query wimpmem
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732522120, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJWMVK7SIHK5D7EXHCDSRMDN3ANCNFSM4UAFNJLA .
-- Regards, Zineb
-- Regards, Zineb
just run it like winpmem.exe foo.dd
Make sure you use the release binary from the releases page rather than try to build it from source - otherwise you need to sign the driver somehow.
I actually built the source code to get the .exe file.
Could you please point me to the release page where I can find the .exe file to run? (I don't seem to find it on the github repo) Thanks again
On Mon, Nov 23, 2020 at 9:05 PM Mike Cohen [email protected] wrote:
just run it like winpmem.exe foo.dd
Make sure you use the release binary from the releases page rather than try to build it from source - otherwise you need to sign the driver somehow.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732538861, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJUISHUNMBRF3XBVMBTSRMIGVANCNFSM4UAFNJLA .
-- Regards, Zineb
Thank you for your response. Here is the output: C:\Users\User\Desktop\WinPmem-master>winpmem_mini_x64_rc2.exe foo.dd WinPmem64 Extracting driver to C:\Users\User\AppData\Local\Temp\pme5B65.tmp Driver Unloaded. Loaded Driver C:\Users\User\AppData\Local\Temp\pme5B65.tmp. Deleting C:\Users\User\AppData\Local\Temp\pme5B65.tmp The system time is: 02:18:37 Will generate a RAW image
- buffer_size_: 0x1000 CR3: 0x00001AD000 5 memory ranges: Start 0x00001000 - Length 0x0005B000 Start 0x0005D000 - Length 0x00043000 Start 0x00100000 - Length 0xD063D000 Start 0xD1C0F000 - Length 0x00001000 Start 0x100000000 - Length 0x127800000 max_physical_memory_ 0x227800000 Acquitision mode PTE Remapping Padding from 0x00000000 to 0x00001000 pad
- length: 0x1000
00% 0x00000000 . copy_memory
- start: 0x1000
- end: 0x5c000
00% 0x00001000 . Padding from 0x0005C000 to 0x0005D000 pad
- length: 0x1000
00% 0x0005C000 . copy_memory
- start: 0x5d000
- end: 0xa0000
00% 0x0005D000 . Padding from 0x000A0000 to 0x00100000 pad
- length: 0x60000
00% 0x000A0000 . copy_memory
- start: 0x100000
- end: 0xd073d000
00% 0x00100000 .................................................. 09% 0x32100000 .................................................. 18% 0x64100000 .................................................. 27% 0x96100000 .................................................. 36% 0xC8100000 ......... Padding from 0xD073D000 to 0xD1C0F000 pad
- length: 0x14d2000
37% 0xD073D000 .. copy_memory
- start: 0xd1c0f000
- end: 0xd1c10000
38% 0xD1C0F000 . Padding from 0xD1C10000 to 0x100000000 pad
- length: 0x2e3f0000
38% 0xD1C10000 ............................................... copy_memory
- start: 0x100000000
- end: 0x227800000
46% 0x100000000 .................................................. 55% 0x132000000 .................................................. 64% 0x164000000 .................................................. 73% 0x196000000 .................................................. 82% 0x1C8000000 .................................................. 91% 0x1FA000000 .............................................. The system time is: 02:20:31 Driver Unloaded.
It also genarated the .dd file (8.5 G)
On Mon, Nov 23, 2020 at 9:14 PM Mike Cohen [email protected] wrote:
[image: image] https://user-images.githubusercontent.com/3856546/100037749-7fb7a280-2e4e-11eb-9b15-f316fa9d1bba.png
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-732541588, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPVNJX2L53RPHMKCCZPSI3SRMJHTANCNFSM4UAFNJLA .
-- Regards, Zineb
same problem here. I guess it has to do with write not being enabled. I have tried to enable it by "winpmem.exe -w -l" while running in a test mode, but no luck as it complains of "Failed to set write mode. Maybe these drivers do not support this mode?"
PS: there are also some syntax errors with pmem write enable under read.c PmemWrite line 687 and line 691
We do not release drivers with write mode enabled. You do not need these to acquire memory.
Mike Cohen Digital Paleontologist, Velocidex Enterprises M +61 470 238 491 <+61+470+238+491> E @.*** @.***>
On Sun, Apr 25, 2021 at 7:00 PM Mustafa Hajeer @.***> wrote:
same problem here. I guess it has to do with write not being enabled. I have tried to enable it by "winpmem.exe -w -l" while running in a test mode, but no luck as it complains of "Failed to set write mode. Maybe these drivers do not support this mode?"
PS: there are also some syntax errors with pmem write enable under read.c PmemWrite line 687 and line 691
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-826286890, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRIR3YYUT4ATSHQDYSFTTKPK37ANCNFSM4UAFNJLA .
Thanks Mike, I am using this for testing purposes only and I am trying to compile/build a working write enabled driver using the notes in https://github.com/Velocidex/WinPmem/blob/master/README.md . no luck so far with .sys driver or with the .exe tool :(
You have to rebuild the driver in visual studio and then take the sys file to place into the bisque binaries folder and then compile the user space program using visual studio as well.
Then you need to set your system into loading test drivers with bcdedit otherwise you can't load the unsigned driver.
What specific errors are you getting in building?
Thanks Mike
On Tue, Apr 27, 2021, 01:56 Mustafa Hajeer @.***> wrote:
Thanks Mike, I am using this for testing purposes only and I am trying to compile/build a working write enabled driver using the notes in https://github.com/Velocidex/WinPmem/blob/master/README.md . no luck so far with .sys driver or with the .exe tool :(
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Velocidex/WinPmem/issues/22#issuecomment-826951234, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA5NRITJRSJTQK2GJ4XZOHDTKWEJXANCNFSM4UAFNJLA .
Thank you, will give that a shot. I am getting syntax errors in "read.c PmemWrite line 687 and line 691" when:
- uncomment line 33 in winpmem.h #define PMEM_WRITE_ENABLED 1
- uncomment line 9 in ctl_codes.h #define PMEM_WRITE_ENABLE CTL_CODE(0x22, 0x102, 0, 3)
Also, after fixing these syntax errors and building the .sys, the service cannot start on windows using this sys for some reason if I try to start with sc.exe
Bump. Could you see why winpmem latest release is failing on windows-latest GitHub worker?
name: TestJob
on:
#manually trigger
workflow_dispatch:
jobs:
run_win:
runs-on: windows-latest
steps:
-name: Run script
run: |
curl -OL URI/winpmem.exe
./winpmem.exe dump.raw
dir
Is this related to this issue? Are you compiling your own driver? If you do you will need to sign it