Skip to content
This repository has been archived by the owner on Feb 21, 2024. It is now read-only.

no process in pslist :( #9

Closed
kismp123 opened this issue Jul 20, 2017 · 7 comments
Closed

no process in pslist :( #9

kismp123 opened this issue Jul 20, 2017 · 7 comments
Labels

Comments

@kismp123
Copy link

hi ! I'm setting up pyrebox but no have process anything :(

$ sudo ./start_x86_64.sh /mnt/hgfs/Shared/QEMU/imagesWin7x64

[] Loading python component initialization script
[
] Platform: x86_64-softmmu
[] Starting python module initialization
[
] Reading configuration
[] Importing scripts.script_example
[scripts.script_example] [
] Initializing callbacks
[scripts.script_example] [] Initialized callbacks
[
] Finished python module initialization
[*] Searching for KDBG... << no message about KDBG ? :(
QEMU 2.9.0 monitor - type 'help' for more information

[13] pyrebox> ps
CPU 0 PGD: 1ef111a0 InKernel: 1
+------+---------+-----------+-----+-----+
| Name | Running | Monitored | PID | PGD |
+------+---------+-----------+-----+-----+
+------+---------+-----------+-----+-----+

[14] pyrebox> vol pslist
VolShell: Error while executing volatility command
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature

screendump is works. windows normally booted. Thanks

@xabiugarte
Copy link
Contributor

xabiugarte commented Jul 20, 2017

Could you confirm if you have adjusted the configuration file used by ./start_x86_64.sh (pyrebox.conf.Win7SP0x64), to the operating system version you are emulating? This configuration file uses by default the profile for Win7SP0x64. Also, are you enabling KVM?

@kismp123
Copy link
Author

kismp123 commented Jul 20, 2017

you mean KVM is -enable-kvm option ? sure
and I tested on VMWARE ubuntu 16.04.1 and windows is win7 x64.

@xabiugarte
Copy link
Contributor

Ok, then you might want to read this Issue: #2
KVM is not supported, so you must disable it. It will make the system slower, of course, but then you will benefit from the instruction level and memory read/write instrumentation. Currently the VMI features depend on this, so that's the reason why KDBG is not found, and you cannot list the processes running inside the VM. Nevertheless, we are currently working on a work-around to support VMI in KVM mode.

Although for Win7 64 bit there are no differences in required kernel offsets between SP0 and SP1, this might be important for other OS versions.

Also, QEMU (in whole system emulation mode) does not allow to load a snapshot taken in KVM mode. This would be useful to quickly boot up the system, take a snapshot, and then load from there in whole system emulation mode. Although you only may need to do this once, we are also working on a workaround for this in order to speed up the set up of the machine.

@kismp123
Copy link
Author

Thanks your information..
so disabled kvm from added blacklist kvm, kvm-intel. and no kvm from lsmod.
but same problem :(

do you mean KVM is ?

@xabiugarte
Copy link
Contributor

A quick way to know if KVM is enabled is to use the following qemu command:
(qemu) info kvm
kvm support: disabled

The only way I can reproduce this error is to use an incorrect volatility profile. For instance, if I try to run pyrebox for an XP machine specifying the following profile in pyrebox.conf:

[VOL]
profile: Win7SP0x64

Then it will not find KDBG and when trying to run vol pslist it will warn:

VolShell: Error while executing volatility command
No suitable address space mapping found

Another possibility I can think of, is that volatility was not correctly installed. From your pyrebox directory, try removing the volatility/ directory and run this:

git clone https://github.com/volatilityfoundation/volatility volatility
git checkout 2.6
patch -p0 < ./pyrebox/third_party/volatility/conf.py.patch
cp ./pyrebox/third_party/panda/pmemaddressspace.py ./volatility/volatility/plugins/addrspaces

@kismp123
Copy link
Author

kismp123 commented Jul 20, 2017

reinstalled xp 32bit. it's work. Thanks
and looks like shell script(start_i386.sh) is not work. cause -loadvm init option
on qemu terminal "loadvm init" is work.

Thanks your information 👍

unknown@unknown:~/Desktop/pyrebox$ ./start_i386.sh /mnt/hgfs/Shared/QEMU/xpsp3.qcow2

[] Loading python component initialization script
[
] Platform: i386-softmmu
[] Starting python module initialization
[
] Reading configuration
[] Finished python module initialization
[
] Searching for KDBG...
QEMU 2.9.0 monitor - type 'help' for more information
(qemu) pyrebox-i386: Length mismatch: pc.ram: 0x20000000 in != 0x10000000: Invalid argument
pyrebox-i386: error while loading state for instance 0x0 of device 'ram'
pyrebox-i386: Error -22 while loading VM state

unknown@unknown:~/Desktop/pyrebox$ ./pyrebox-i386 -monitor stdio -m 512 -usb -drive file=/mnt/hgfs/Shared/QEMU/xpsp3.qcow2,index=0,media=disk,format=qcow2,cache=unsafe -vnc 127.0.0.1:0

[] Loading python component initialization script
[
] Platform: i386-softmmu
[] Starting python module initialization
[
] Reading configuration
[] Finished python module initialization
[
] Searching for KDBG...
QEMU 2.9.0 monitor - type 'help' for more information
(qemu) [] KPCR found at ffdff000!!
[
] KDBG found at 8054ede0!!
(qemu) loadvm init

explorer...

[4] pyrebox(4)> ps
CPU 0 PGD: 39000 InKernel: 1
+--------------+---------+-----------+----------+----------+
| Name | Running | Monitored | PID | PGD |
+--------------+---------+-----------+----------+----------+
| >> << | (0-k) | | 4 | 00039000 |
| csrss.exe | | | 198 | 04568000 |
| winlogon.exe | | | 1b0 | 04c2e000 |
| smss.exe | | | 138 | 05075000 |
| services.exe | | | 1e4 | 056dc000 |
| lsass.exe | | | 1f0 | 05739000 |
| winlogon.exe | | | 1b0 | 05e74000 |
| svchost.exe | | | 288 | 0603b000 |
| lsass.exe | | | 1e8 | 0620b000 |
| svchost.exe | | | 2f4 | 06b1d000 |
| svchost.exe | | | 414 | 07d7f000 |
| svchost.exe | | | 440 | 07f10000 |
| svchost.exe | | | 458 | 08156000 |
| explorer.exe | | | 478 | 082f2000 |
| spoolsv.exe | | | 4fc | 090fd000 |
| rundll32.exe | | | 6a0 | 0ccd7000 |
| alg.exe | | | 6cc | 0d733000 |
| ctfmon.exe | | | 794 | 0e866000 |
+--------------+---------+-----------+----------+----------+

where is calc LOL
[5] pyrebox(4)> proc calc
Process calc not found

[6] pyrebox(4)> proc calc.exe
Process calc.exe not found

anyways Thanks !

@xabiugarte
Copy link
Contributor

I'm glad you managed to run it :-). The reason why the script is not working is because it tells pyrebox to start a VM with 256 MB of RAM. When it tries to load a snapshot of a machine with 512 MB of RAM, it fails (I guess you created a snapshot "init" with 512 MB of RAM).

Finally, in order to set the context to one specific process using its process name (e.g.: proc calc), the process needs to be running on the system. I will close this issue given that you already managed to run PyREBox succesfully.

Enjoy it!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants