Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

draksetup postinstall doesn't work with 32-bit Windows #817

Open
psrok1 opened this issue Sep 12, 2023 · 0 comments
Open

draksetup postinstall doesn't work with 32-bit Windows #817

psrok1 opened this issue Sep 12, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@psrok1
Copy link
Member

psrok1 commented Sep 12, 2023

Describe the bug

draksetup tries to build a profile including wow64 binaries that doesn't exist on 32-bit installation

[2023-09-12 14:15:35,710][INFO] Cleaning up leftovers(if any)
[2023-09-12 14:15:35,721][INFO] Ejecting installation CDs
[2023-09-12 14:15:35,873][INFO] Determined PDB GUID: 684da42a30cc450f81c535b4d18944b12
[2023-09-12 14:15:35,873][INFO] Determined kernel filename: ntkrpamp.pdb
[2023-09-12 14:15:35,873][INFO] Fetching PDB file...
[2023-09-12 14:15:35,897][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443
[2023-09-12 14:15:36,277][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/ntkrpamp.pdb/684da42a30cc450f81c535b4d18944b12/ntkrpamp.pdb HTTP/1.1" 302 0
[2023-09-12 14:15:36,278][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard51.blob.core.windows.net:443
[2023-09-12 14:15:37,025][DEBUG] https://vsblobprodscussu5shard51.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/6EACF8331C3D96544FB890CEDE4DB714C5EC3AC8A085F404301A577BCBE0B8F900.blob?sv=2019-07-07&sr=b&si=1&sig=%2ForJRLuEFft%2FVbmGtixIYuz03CdZV39P6129n2%2Fipp8%3D&spr=https&se=2023-09-13T12%3A25%3A55Z&rscl=x-e2eid-f755d487-28a34779-9b2ad49e-5db40770-session-aeda2d85-966c4d57-89f8610c-48e31cf0 HTTP/1.1" 200 6933504
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 6.93M/6.93M [00:02<00:00, 2.78MiB/s]
[2023-09-12 14:15:39,568][INFO] Generating profile out of PDB file...
[2023-09-12 14:15:53,135][INFO] Saving profile...
[2023-09-12 14:15:53,136][INFO] Deleted /var/lib/drakrun/profiles/ntkrpamp.pdb
[2023-09-12 14:15:53,896][INFO] Saving runtime profile...
[2023-09-12 14:15:53,897][INFO] Saving VM snapshot...
[2023-09-12 14:15:53,897][INFO] Saving VM vm-0
Saving to /var/lib/drakrun/volumes/snapshot.sav new xl format (info 0x3/0x0/2034)
xc: info: Saving domain 33, type x86 HVM
xc: Frames: 1044480/1044480  100%
xc: End of stream: 0/0    0%
[2023-09-12 14:16:16,874][INFO] Snapshot was saved succesfully.
[2023-09-12 14:16:16,874][INFO] Snapshotting persistent memory...
[2023-09-12 14:16:16,876][DEBUG] Starting new HTTPS connection (1): drakvuf.cert.pl:443
[2023-09-12 14:16:16,976][DEBUG] https://drakvuf.cert.pl:443 "POST /usage/draksetup HTTP/1.1" 400 None
[2023-09-12 14:16:16,976][ERROR] Failed to send usage report. This is not a serious problem.
Traceback (most recent call last):
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 548, in send_usage_report
    res.raise_for_status()
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://drakvuf.cert.pl/usage/draksetup
[2023-09-12 14:16:17,181][INFO] Generated VM configuration for vm-1
[2023-09-12 14:16:17,246][INFO] Created bridge drak1
[2023-09-12 14:16:17,337][INFO] Bridge drak1 is up
Formatting '/var/lib/drakrun/volumes/vm-1.img', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=107374182400 backing_file=/var/lib/drakrun/volumes/vm-0.img backing_fmt=qcow2 lazy_refcounts=off refcount_bits=16
[2023-09-12 14:16:17,856][INFO] Restoring VM vm-1
Loading new save file /var/lib/drakrun/volumes/snapshot.sav (new xl fmt info 0x3/0x0/2034)
 Savefile contains xl domain config in JSON format
Parsing config from /etc/drakrun/configs/vm-1.cfg
xc: info: Found x86 HVM domain from Xen 4.17
xc: info: Restoring domain
xc: info: Restore successful
xc: info: XenStore: mfn 0xfeffc, dom 0, evt 1
xc: info: Console: mfn 0xfefff, dom 0, evt 2
[2023-09-12 14:16:42,707][INFO] Fetching rekall profile for Windows/System32/ntdll.dll
[2023-09-12 14:16:49,376][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443
[2023-09-12 14:16:49,651][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/ntdll.pdb/120028fa453f4cd5a6a404ec37396a582/ntdll.pdb HTTP/1.1" 302 0
[2023-09-12 14:16:49,652][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard71.blob.core.windows.net:443
[2023-09-12 14:16:50,340][DEBUG] https://vsblobprodscussu5shard71.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/20A62A95572AABD055074178C71CE174026AD8F9C502CB8E75B424593D4DA4D700.blob?sv=2019-07-07&sr=b&si=1&sig=V9ptHig0mhtOAVEzsvDNYsduMs2LoDMHJZwi1Cerhw0%3D&spr=https&se=2023-09-13T13%3A07%3A38Z&rscl=x-e2eid-b504bcc0-09924a92-a9412f80-f6dc3ab6-session-aeda150c-966c4d57-89f8610c-48e31cf0 HTTP/1.1" 200 2124800
100%|████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 2.12M/2.12M [00:00<00:00, 2.17MiB/s]
[2023-09-12 14:16:51,340][DEBUG] Parsing PDB into JSON profile...
[2023-09-12 14:16:54,535][INFO] Deleted /var/lib/drakrun/profiles/amd64_ntdll_profile
[2023-09-12 14:16:54,535][INFO] Deleted /var/lib/drakrun/profiles/ntdll.pdb
[2023-09-12 14:16:54,536][INFO] Fetching rekall profile for Windows/SysWOW64/ntdll.dll
[2023-09-12 14:17:01,409][DEBUG] stderr: DRAKVUF injector v1.1-git20230901115228+3a0905b-1 Copyright (C) 2014-2023 Tamas K Lengyel
Failed to read guest file

[2023-09-12 14:17:01,409][DEBUG] {'Plugin': 'inject', 'TimeStamp': '1694521021.395943', 'Method': 'ReadFile', 'Status': 'Error', 'ErrorCode': 6, 'Error': 'ERROR_INVALID_HANDLE'}
[2023-09-12 14:17:01,409][INFO] Deleted /var/lib/drakrun/profiles/wow64_ntdll_profile
Traceback (most recent call last):
  File "/usr/bin/draksetup", line 5, in <module>
    ds.main()
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 817, in postinstall
    create_missing_profiles()
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 864, in create_missing_profiles
    create_rekall_profile(injector, profile, True)
  File "/opt/venvs/drakrun/lib/python3.9/site-packages/drakrun/draksetup.py", line 597, in create_rekall_profile
    raise Exception("Some error occurred in injector")
Exception: Some error occurred in injector
@psrok1 psrok1 added the bug Something isn't working label Sep 12, 2023
@psrok1 psrok1 mentioned this issue Sep 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@psrok1