Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Socketmon plugin not work on win7 sp1 x64 #1613

Open
Lexati opened this issue Feb 16, 2023 · 12 comments
Open

Socketmon plugin not work on win7 sp1 x64 #1613

Lexati opened this issue Feb 16, 2023 · 12 comments

Comments

@Lexati
Copy link

Lexati commented Feb 16, 2023

Hello tklengyel!
Help me please, i try take on Socketmon plugin on windows 7 sp1 x64 with next command:
sudo drakvuf -a socketmon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json -T /var/lib/drakrun/profile/amd64_tcpip_profile.json -t 120 -i 1288 -v

but drakvuf return error debug log:
изображение

Can you advise me how i can fix this problem?

Also from debug log:
Failed to find dnsapi.dll in list starting at 0x3225f0

[SOCKETMON] trap_visitor: CR3[0x53DF000] pid[0x444 1092] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\System32\DNSAPI.dll]

[SOCKETMON] trap_visitor: CR3[0x7BCA000] pid[0x278 632] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[c:\windows\system32\DNSAPI.dll]

[SOCKETMON] trap_visitor: CR3[0x5055B000] pid[0x644 1604] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\system32\DNSAPI.dll]

Thank you in advance!=)

@tklengyel
Copy link
Owner

If the dll is not found in the list you are trying to start with the plugin won't work. You need to figure out why the dll is missing in your VM.

@Lexati
Copy link
Author

Lexati commented Feb 20, 2023

Thank you for your fast answer!
I checked DNSAPI.dll in VM.
Now DNSAPI.dll exist in:

  • C:\Windows\system32
  • C:\Windows\SysWow64
    Then i start command:
    sudo draksetup postinstall --no-report
    I see that script detect DNSAPI.dll in C:\Windows\system32 via injector and create rekall profile for this dll in path /var/lib/drakrun/profiles/
    the same situation with tcpip.sys.

But then i try use this profile for socketmon, i see errors on debug logs.
In scrinshot below in debug log is record "Failed to trap function SysWOW64 dnsapi.dll"
may be i must create rekall allso for C:\Windows\SysWow64\dnsapi.dll ?
изображение

If this is a true statement, then tell me exactly where I need to place and specify this rekall profile.
If not, then tell me please what else could be done.
Maybe there is some specific windows 7 image on which socketmon will be guaranteed to work without any problems.
Thank you in advance!

@Lexati
Copy link
Author

Lexati commented Feb 20, 2023

Content in /var/lib/drakrun/profiles/:
изображение

@tklengyel
Copy link
Owner

It's not enough that the dll exists on disk. If it's not loaded into the memory of the process as part of its module list it won't work. In your VM the dll is not found in memory and you need to figure out why your Windows installation doesn't load it.

It also sounds like you are using DRAKVUF Sandbox, so you may want to open an issue on their repository because they might have some more information about the automated setup that supposed to resolve this.

@Lexati
Copy link
Author

Lexati commented Mar 6, 2023

Thank you for your fast answer!
I created issue in DRAKVUF Sandbox.
CERT-Polska/drakvuf-sandbox#770

So far, I can’t understand why dsnapi.dll is not loaded into VM memory...
I reinstalled VM, gave network access before postinstall, but It did not help.

@Saksham128
Copy link

Did you figured out any solution for this problem? I am having the same problem with the socketmon plugin. My debug also gives the same error of dll missing. Is there any other way through which i can capture the network of the VM?

@Lexati
Copy link
Author

Lexati commented Aug 28, 2023

Did you figured out any solution for this problem? I am having the same problem with the socketmon plugin. My debug also gives the same error of dll missing. Is there any other way through which i can capture the network of the VM?

No, this problem is still relevant.

@psrok1
Copy link
Contributor

psrok1 commented Jul 24, 2024

The root of the problem is that socketmon plugin uses old, eager method of usermode function hooking that requires the DLL to be loaded at the time of hook setup. If dnsapi.dll is not used by any process and doesn't exist in the memory, socketmon plugin fails to load as well.

Other plugins (like memdump or apimon) use libusermode component that sets hooks lazily, waiting for dnsapi.dll to be loaded into the memory by process that depends on dnsapi.dll functions.

So it doesn't have anything in common with Rekall/Volatility profiles (functions are located by looking into export tables) or Windows version. It's also not the problem of Drakvuf Sandbox.

I guess it's more a "call for contribution" for someone that would like to replace the internal register_module_trap implementation (https://github.com/CERT-Polska/drakvuf/blob/main/src/plugins/socketmon/socketmon.cpp#L899) with proper call to libusermode (https://github.com/CERT-Polska/drakvuf/blob/main/src/plugins/apimon/apimon.cpp#L330).

@tklengyel
Copy link
Owner

I guess an alternative workaround is to just setup the base VM by running a process that uses dnsapi.dll before you take a snapshot of it.

@Lexati
Copy link
Author

Lexati commented Aug 2, 2024

I tried again run socketmon:
sudo drakvuf -a socketmon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json -T /var/lib/drakrun/apiscount_profiles/amd64_tcpip_profile.json -v -g

and I got the same error.
изображение

moreover, after the -T parameter, I can specify anything and still get this output.

I can successfully launch the apimon with the following commands:
sudo drakvuf -a apimon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json

If i also tried launch socketmon:
sudo drakvuf -a socketmon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json -v

next error in output:
1722606757.212839 DRAKVUF v1.0-git20220222010225+fecea59-1 Copyright (C) 2014-2022 Tamas K Lengyel
1722606757.212903 Starting DRAKVUF initialization
1722606757.212914 drakvuf_init: Rekall WoW64 profile not used
1722606757.213116 drakvuf_event_fd_add fd=18
1722606757.213124 size of list=1
1722606757.213131 regenerating event_fds and fd_info_lookup...
1722606757.213140 new event_fd i=0 for fd=18
1722606757.213144 new fd_info_lookup i=0 for fd=18
1722606757.213148 drakvuf_init: adding event_fd done
1722606757.213716 init_vmi on domID 20 -> vm-1
1722606757.214218 init_vmi: initializing vmi done
1722606757.214236 Max GPFN: 0x110083
1722606757.214252 Max mem set? 0
1722606757.214265 Physmap populated? 0
1722606757.214337 Altp2m enabled? 1
1722606757.214360 Altp2m view X created with ID 1
1722606757.214372 Altp2m view R created with ID 2
1722606757.214380 Altp2m view RW created with ID 3
1722606757.214443 init_vmi finished
1722606757.278875 Windows kernel base address is 0xfffff8043b800000
1722606757.278898 Failed to find address for symbol KiInitialPCR
1722606757.279116 Failed to find offset for _EPROCESS:Wow64Process
1722606757.279129 Failed to find offset for VadRoot:BalancedRoot
1722606757.279166 Failed to find offset for _MMVAD:LeftChild
1722606757.279183 Failed to find offset for _MMVAD:RightChild
1722606757.279464 Failed to find offset for _KPCR:PrcbData
1722606757.279494 Failed to find offsets for array of structure names and subsymbols.
1722606757.279502 Failed to find offsets for of bitfield: _MMVAD_FLAGS:Protection.
1722606757.279509 Failed to find offsets for of bitfield: _MMVAD_FLAGS:MemCommit.
1722606757.279514 Failed to find offsets for of bitfield: _MMVAD_FLAGS1:MemCommit.
1722606757.279520 Failed to find offsets for of bitfield: _MMVAD_FLAGS:VadType.
1722606757.279525 Failed to find offsets for of bitfield: (null):(null).
1722606757.279529 Failed to find offsets for of bitfield: _MMVAD_FLAGS:CommitCharge.
1722606757.279534 Failed to find offsets for of bitfield: _MMVAD_FLAGS1:CommitCharge.
1722606757.279567 libdrakvuf initialized
1722606757.279588 DRAKVUF initializated
1722606757.279600 Enabling context based interception.
1722606757.279605 Starting plugins
1722606757.279610 Starting plugin socketmon
1722606757.279640 Socketmon plugin requires the JSON debug info for tcpip.sys!
1722606757.279646 Starting plugin socketmon finished
1722606757.279651 Beginning DRAKVUF main loop
1722606757.279672 Started DRAKVUF polling loop

I checked if there is dnsapi.dll in the memory of VM:
изображение

dnsapi.dll in memory.
Please tell me what else can be done besides refining socketmon.cpp?

@Lexati
Copy link
Author

Lexati commented Aug 5, 2024

Re-uploaded and generated the tcpip.json for tcpip.sys

  1. python3 ~/drakvuf/tools/pdbguid.py tcpip.sys
  2. python3 ~/drakvuf/volatility3/volatility3/framework/symbols/windows/pdbconv.py --guid da8544a6f3c1199df465aab8b542afe91 -p tcpip.pdb -o tcpip.json
  3. sudo drakvuf -a socketmon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json -T /home/drak/tcpip.json -i 6516 -v

изображение

@psrok1
Copy link
Contributor

psrok1 commented Aug 5, 2024

The log says it can't trap on the WoW64 version of the DLL (32-bit processes on 64-bit Windows). If it doesn't work even if you have running that 32-bit WinSCP using SysWOW64\dnsapi.dll at the time of Drakvuf start then something is definitely broken with that plugin.

malwarectigouvfr pushed a commit to malwarectigouvfr/drakvuf that referenced this issue Nov 21, 2024
Applies the recommandation of @psrok1 at tklengyel#1613 (comment) of implementing usermode hooking for socketmon plugin using libusermode.
malwarectigouvfr added a commit to malwarectigouvfr/drakvuf that referenced this issue Nov 21, 2024
Applies the recommandation of @psrok1 at tklengyel#1613 (comment) of implementing usermode hooking for socketmon plugin using libusermode.
tklengyel pushed a commit that referenced this issue Nov 22, 2024
Applies the recommandation of @psrok1 at #1613 (comment) of implementing usermode hooking for socketmon plugin using libusermode.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants