drakvuf icon indicating copy to clipboard operation
drakvuf copied to clipboard

Published 20 hours ago verified publisher icon tklengyel

libusemode: Add support for x86 architecture

Open disaykin opened this issue 3 years ago • 12 comments

I think this code is good enough to use.

We have been using it for a long time without any problems.

disaykin avatar Jan 17 '22 14:01 disaykin

Can one of the admins verify this patch?

drakvuf-jenkins avatar Jan 17 '22 14:01 drakvuf-jenkins

@drakvuf-jenkins This is OK to test

tklengyel avatar Jan 18 '22 12:01 tklengyel

CI say "Plugin memdump startup failed!" without any explanations...

disaykin avatar Jan 18 '22 14:01 disaykin

@drakvuf-jenkins Retest this please

tklengyel avatar Jan 18 '22 14:01 tklengyel

Well, it fails deterministically, so you should check what in this PR is changed that results in that plugin complaining.

tklengyel avatar Jan 18 '22 18:01 tklengyel

@tklengyel I can't reproduce this failure. Can you run this test in verbose mode? Maybe the debug logs will help me understand what's going on.

disaykin avatar Jan 18 '22 20:01 disaykin

Last time also I think this PR was stuck in this stage only https://github.com/tklengyel/drakvuf/pull/1094, adding debug logs might help @tklengyel

manorit2001 avatar Jan 22 '22 11:01 manorit2001

Is this PR still active for consideration? Needs a rebase.

tklengyel avatar Aug 10 '22 17:08 tklengyel

I rebase the patch

disaykin avatar Aug 11 '22 07:08 disaykin

@drakvuf-jenkins Retest this please

tklengyel avatar Aug 11 '22 15:08 tklengyel

I can not reproduce the failure:

$ sudo src/drakvuf -d win7 -t 60 -k 0x185000 -i 1412 -e calc.exe -m createproc -r /mnt/images/win7-sp1-x86/kernel.json -a memdump
1660246883.723587 DRAKVUF v0.8-git20220811221214+ptms.sandbox.drakvuf-0.0.0.2747-master-1-g48619231-1 Copyright (C) 2014-2022 Tamas K Lengyel
[INJECT] TIME:1660246883.995920 METHOD:CreateProc  STATUS:SUCCESS PID:1412 FILE:"calc.exe" ARGUMENTS:"" INJECTED_PID:1364 INJECTED_TID:980
[MEMDUMP] TIME:1660246884.166189 VCPU:1 CR3:0x76F38040 "\Device\HarddiskVolume2\Windows\System32\csrss.exe":NtWriteVirtualMemory SessionID:1 PID:348 PPID:328 DumpReason:"NtWriteVirtualMemory called" DumpPID:348 DumpAddr:29FD4C DumpSize:0x4 DumpFilename:"(not configured)" DumpsCount:1 TargetPID:1364 WriteAddr:24F114
...

disaykin avatar Aug 11 '22 19:08 disaykin

@drakvuf-jenkins Retest this please

tklengyel avatar Aug 14 '22 21:08 tklengyel

@tklengyel I turned off usermode hooking support in memdump plugin on x86.

disaykin avatar Aug 17 '22 07:08 disaykin

apimon plugin also is having issues now on x86

tklengyel avatar Aug 17 '22 15:08 tklengyel

I'm closing this PR for now, feel free to reopen if you are still working on it.

tklengyel avatar Sep 20 '22 01:09 tklengyel