-
Notifications
You must be signed in to change notification settings - Fork 255
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Socketmon plugin not work on win7 sp1 x64 #1613
Comments
If the dll is not found in the list you are trying to start with the plugin won't work. You need to figure out why the dll is missing in your VM. |
It's not enough that the dll exists on disk. If it's not loaded into the memory of the process as part of its module list it won't work. In your VM the dll is not found in memory and you need to figure out why your Windows installation doesn't load it. It also sounds like you are using DRAKVUF Sandbox, so you may want to open an issue on their repository because they might have some more information about the automated setup that supposed to resolve this. |
Thank you for your fast answer! So far, I can’t understand why dsnapi.dll is not loaded into VM memory... |
Did you figured out any solution for this problem? I am having the same problem with the socketmon plugin. My debug also gives the same error of dll missing. Is there any other way through which i can capture the network of the VM? |
No, this problem is still relevant. |
The root of the problem is that socketmon plugin uses old, eager method of usermode function hooking that requires the DLL to be loaded at the time of hook setup. If dnsapi.dll is not used by any process and doesn't exist in the memory, socketmon plugin fails to load as well. Other plugins (like memdump or apimon) use libusermode component that sets hooks lazily, waiting for So it doesn't have anything in common with Rekall/Volatility profiles (functions are located by looking into export tables) or Windows version. It's also not the problem of Drakvuf Sandbox. I guess it's more a "call for contribution" for someone that would like to replace the internal |
I guess an alternative workaround is to just setup the base VM by running a process that uses dnsapi.dll before you take a snapshot of it. |
Re-uploaded and generated the tcpip.json for tcpip.sys
|
The log says it can't trap on the WoW64 version of the DLL (32-bit processes on 64-bit Windows). If it doesn't work even if you have running that 32-bit WinSCP using SysWOW64\dnsapi.dll at the time of Drakvuf start then something is definitely broken with that plugin. |
Applies the recommandation of @psrok1 at tklengyel#1613 (comment) of implementing usermode hooking for socketmon plugin using libusermode.
Applies the recommandation of @psrok1 at tklengyel#1613 (comment) of implementing usermode hooking for socketmon plugin using libusermode.
Applies the recommandation of @psrok1 at #1613 (comment) of implementing usermode hooking for socketmon plugin using libusermode.
Hello tklengyel!
Help me please, i try take on Socketmon plugin on windows 7 sp1 x64 with next command:
sudo drakvuf -a socketmon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json -T /var/lib/drakrun/profile/amd64_tcpip_profile.json -t 120 -i 1288 -v
but drakvuf return error debug log:
Can you advise me how i can fix this problem?
Also from debug log:
Failed to find dnsapi.dll in list starting at 0x3225f0
[SOCKETMON] trap_visitor: CR3[0x53DF000] pid[0x444 1092] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\System32\DNSAPI.dll]
[SOCKETMON] trap_visitor: CR3[0x7BCA000] pid[0x278 632] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[c:\windows\system32\DNSAPI.dll]
[SOCKETMON] trap_visitor: CR3[0x5055B000] pid[0x644 1604] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\system32\DNSAPI.dll]
Thank you in advance!=)
The text was updated successfully, but these errors were encountered: