Dokany File System Library NOT found
antmar904 opened this issue · comments
Hi
I am trying to run MemProcFS-Analyzer on my Windows 10 VM however I received the above mentioned error. So I installed Dokany 0.7.4 for Windows 10 (https://github.com/dokan-dev/dokany/releases/tag/v0.7.4) ran MemProcFS-Analyzer again and I keep getting the following error:
[Info] Dokany File System Library NOT found.
[Info] Latest Release: Dokany File System Library v1.4.0.1000 (2020-06-01)
[Info] Please download/install the latest release of Dokany File System Library manually:
https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)
Can you please update Analyzer to support the latest version of Dokany for Windows 10?
Hi,
you need to install the correct Dokany File System Library (Redistributable packaged version):
https://github.com/dokan-dev/dokany/releases/tag/v1.4.0.1000 (DokanSetup_redist.exe)
This version will also install the required Microsoft Visual C++ Redistributables for Visual Studio 2019.
It's a dependency of MemProcFS...please check out installing info for more details if needed:
https://github.com/ufrisk/MemProcFS
You need to uninstall your version and restart your VM before you can install the mentioned DokanSetup_redist.exe.
I hope this information helps you.
Cheers!
-Martin-
thank you.
i installed the appropriate pre-req and i am currently running it again. question: am i suppose to see the virtual drive mounted as x? because I am not seeing it.
Yes, the default drive letter is X: ...as a network shared drive.
ah ok i am not seeing it being mounted which is probably why whenever I run the tool it get stuck here:
[Info] Mounting the Physical Memory Dump file as X: ...
[Info] Physical Memory Dump File Size: 11.43 GB
[Info] MemProcFS Forensic Analysis initiated ...
[Info] Processing E:_DATA\Server\MEMORY DUMP\fullmemdump051921.dmp [approx. 1-2 min] ...
Which VM app are you using?
VMWare Workstation
Have you restarted your VM after the installation of Dokany?
I have VMware Workstation, but no Windows VM yet...very new computer...
Have you restarted your VM after the installation of Dokany?
Yes I have. Ill have to dig into a little bit more later on it the day and will post my findings. Thank you!
Please check the minimized window of MemProcFS for any errors.
I have two minimized ps windows. here are the last line shown for each window:
this is basically where I get stuck all the time.
window 1:
[2021-06-02T10:27:49,200][INFO ][o.e.t.LoggingTaskListener] [DESKTOP-NC0UPK6] 149 finished with response BulkByScrollResponse[took=1.9s,timed_out=false,sliceId=null,updated=12,created=0,deleted=0,batches=1,versionConflicts=0,noops=0,retries=0,throttledUntil=0s,bulk_failures=[],search_failures=[]]
window 2:
log [10:27:59.271] [info][plugins][securitySolution] Dependent plugin setup complete - Starting ManifestTask
These two PowerShell windows are related to Elasticsearch and Kibana...so it seems that MemProcFS is not running...should be a minimized cmd.exe window.
i've never seen a minimized cmd windows when running the MemProcFS-Analyzer.ps1
You can start a terminal with admin rights and navigate to MemProcFS in the Tools directory of MemProcFS-Analyzer:
memprocfs.exe -device c:\temp\win10x64-dump.raw
awesome ill try that now
memprocfs crashes. I have python 3.9 installed
Initialized 64-bit Windows 10.0.17763
PluginManager: Python initialization failed. Python 3.6 or later not found.
=============== MemProcFS - THE MEMORY PROCESS FILE SYSTEM ===============
- Author: Ulf Frisk - pcileech@frizk.net
- Info: https://github.com/ufrisk/MemProcFS
-
License: GNU Affero General Public License v3.0
MemProcFS is free open source software. If you find it useful please
become a sponsor at: https://github.com/sponsors/ufrisk Thank You :) - Version: 4.0.3 (Windows)
- Mount Point: M:\
- Tag: 17763_2095e679
- Operating System: Windows 10.0.17763 (X64)
==========================================================================
MOUNT: Failed. Status Code: -3
I will forward the issue to Ulf. I nearly finished the install of a Windows 10 VM...will have a look, too.
It fails to mount the virtual drive with a dokan error code of -3 which means: #define DOKAN_DRIVER_INSTALL_ERROR -3
Please uninstall any previous versions of dokan, reboot the machine, and then install latest dokan version 1.5.0.3000 from https://github.com/dokan-dev/dokany/releases and then reboot the machine once again; or if you have the ability do do so please roll back the VM before you installed that ancient 0.7.4 version of dokany and try again but with the latest release.
But there is no redist version!?
It's not required anymore I guess; latest MemProcFS version with latest dokany installs fine on clean VM 20.04 release. Hyper-V though; but I hardly think that should affect this. My best guess is that something happened when that very old dokany version was installed; but I don't know.
It's not required anymore I guess; latest MemProcFS version with latest dokany installs fine on clean VM 20.04 release. Hyper-V though; but I hardly think that should affect this. My best guess is that something happened when that very old dokany version was installed; but I don't know.
ok reinstalling now
ok looks like that worked. it is now mounted to M: Should I now run MemProcFS-Analyzer.ps1 or cancel everything and only run MemProcFS-Analyzer.ps1 ?
Yes...cancel it. You can manually stop MemProcFS with Ctrl+C.
looks great. just have to learn what type of data gets extracted and how from memory. when i close out of the "happy elk hunting" message box does everything close? also is the extracted data saved anywhere so i can search on it again?
Please check out README.md and the MemProcFS wiki:
https://github.com/ufrisk/MemProcFS/wiki