Process list doesn't show up in Windows 1903
seeker25 opened this issue · comments
Process list doesn't show up in Windows 1903. I've set the VM to run as root. Followed the other instructions in the thread and haven't had any luck.
xxx:~/Code/vmread/build$ sudo ./example
Using Mode: MODE_EXTERNAL
PML4: 1aa000 | KernelEntry: fffff80242aca900
Kernel Base: fffff80242000000 (2000000)
PsInitialSystemProcess: fffff8024256f3a0 (256f3a0)
System (PID 4): ffffd586c827d080 (17c27d080)
NT Version: 1000
Process List:
xxx:~/Code/vmread$ ./inject
[New LWP 3999]
[New LWP 4004]
[New LWP 4006]
[New LWP 4007]
[New LWP 4008]
[New LWP 4010]
[New LWP 4011]
[New LWP 4027]
[New LWP 4028]
[New LWP 4030]
[New LWP 4031]
[New LWP 4111]
[New LWP 4112]
[New LWP 4113]
[New LWP 4114]
[New LWP 4115]
[New LWP 4116]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007fcccd118cf6 in __GI_ppoll (fds=0x55c62f550e00, nfds=76, timeout=, sigmask=0x0) at ../sysdeps/unix/sysv/linux/ppoll.c:39
39 ../sysdeps/unix/sysv/linux/ppoll.c: No such file or directory.
[Thread 0x7fcb827fc700 (LWP 4115) exited]
[Thread 0x7fcb81ffb700 (LWP 4116) exited]
[Thread 0x7fcb82ffd700 (LWP 4114) exited]
[Thread 0x7fcb837fe700 (LWP 4113) exited]
[Thread 0x7fcb83fff700 (LWP 4112) exited]
[Thread 0x7fcb97cfc700 (LWP 4111) exited]
[Thread 0x7fcb95af5700 (LWP 4031) exited]
[Thread 0x7fcb963f7700 (LWP 4030) exited]
[Thread 0x7fcb96bf8700 (LWP 4028) exited]
[Thread 0x7fcb973f9700 (LWP 4027) exited]
[Thread 0x7fccbd7ff700 (LWP 4011) exited]
[Thread 0x7fccbe3ff700 (LWP 4010) exited]
[Thread 0x7fccbeffc700 (LWP 4008) exited]
[Thread 0x7fccbf7fd700 (LWP 4007) exited]
[Thread 0x7fccbfffe700 (LWP 4006) exited]
[Thread 0x7fccc07ff700 (LWP 4004) exited]
[Thread 0x7fccc4805700 (LWP 3999) exited]
[Inferior 1 (process 3986) exited with code 01]
The program being debugged exited while in a function called from GDB.
Evaluation of the expression containing the function
(__dlopen) will be abandoned.
$1 = "Injection failed!"
You can't do that without a process to debug.
The program is not being run.
I've checked /tmp/ permissions, library permissions as well. Inject just closes down the vm entirely.
1809,
The processes are showing
xxx:~/Code/vmread/build$ sudo ./example
Using Mode: MODE_EXTERNAL
PML4: 1aa000 | KernelEntry: fffff806348915b0
Kernel Base: fffff80633e0a000 (1e0a000)
PsInitialSystemProcess: fffff8063434d2e0 (234d2e0)
System (PID 4): ffffb9059ea6d040 (17b46d040)
NT Version: 1000
Process List:
0004 System
0138 smss.exe
0194 csrss.exe
01dc wininit.exe
01ec csrss.exe
023c winlogon.exe
0250 services.exe
026c lsass.exe
02d4 svchost.exe
02dc fontdrvhost.ex
02e4 fontdrvhost.ex
0328 svchost.exe
0354 svchost.exe
0384 svchost.exe
03dc LogonUI.exe
03e4 dwm.exe
0168 svchost.exe
0164 svchost.exe
01a8 svchost.exe
0198 svchost.exe
0404 svchost.exe
046c svchost.exe
0478 svchost.exe
04a0 svchost.exe
04d4 svchost.exe
0500 svchost.exe
0508 svchost.exe
0514 svchost.exe
0598 svchost.exe
05b8 svchost.exe
0608 svchost.exe
063c svchost.exe
0658 svchost.exe
0660 svchost.exe
0670 svchost.exe
06e8 svchost.exe
070c svchost.exe
0718 svchost.exe
0768 svchost.exe
07b8 svchost.exe
07c0 svchost.exe
07cc svchost.exe
0678 svchost.exe
0780 svchost.exe
0824 spoolsv.exe
0858 svchost.exe
0878 svchost.exe
0968 svchost.exe
0970 svchost.exe
097c svchost.exe
0994 svchost.exe
09e4 svchost.exe
09f0 svchost.exe
0a04 svchost.exe
0a14 MsMpEng.exe
0a24 svchost.exe
0a54 svchost.exe
0ab0 svchost.exe
0af4 svchost.exe
But inject still just crashes the VM.
Tried upgrading CEMU to a higher version. Inject still crashes.
This is a valid issue and should not have been closed. Version 1903 must have had its internal structures updated, thus an offset update is required. It has to be backwards compatible with the previous versions, thus version checking has to be implemented. That is available through ntBuild variable in WinCtx. However, it appears that this variable is never assigned a value. So, a function has to be implemented for that as well.
I have proposed a change in my pull request here #6
I have updated the offsets for Windows 10 1903 and added manual version selection via user input from the terminal.
Thanks I appreciate it. As a workaround I'm just using 1809 for now.