Unable to locate ntoskrnl.exe via va hint when using FFI
mipek opened this issue · comments
I've been updating my code to the new API and noticed something weird going on when memflow-win32 is looking for ntoskrnl.exe. This is especially noticeable when using a connector like pcileech due to the relatively slow read speed.
When I run the memflow "keyboard" example it works just fine:
LeechCore v2.10.0: Open Device: fpga
12:08:12 [INFO] attempting to load `OS` type plugin `win32` from `/home/mpekar/.local/lib/memflow/libmemflow_win32.7.so`
12:08:12 [INFO] Building kernel of type memflow_win32::win32::kernel_builder::Win32KernelBuilder<memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::mem::virt_translate::cache::CachedVirtualTranslate<memflow::mem::virt_translate::direct_translate::DirectTranslate, memflow::types::cache::timed_validator::TimedCacheValidator>>
12:08:12 [INFO] arch=X86(64, false) kernel_hint=fffff800347f3480 dtb=1ad000
12:08:12 [DEBUG] (1) memflow_win32::kernel::ntos::x64: x64::find_with_va_hint: trying to find ntoskrnl.exe with va hint at fffff800347f3480
12:08:13 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 57344 bytes.
12:08:13 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 720896 bytes.
12:08:13 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 69632 bytes.
12:08:13 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 49152 bytes.
12:08:13 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
12:08:14 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: try_get_pe_name: found pe header for ntoskrnl.exe
12:08:14 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
12:08:14 [INFO] base=fffff80034400000 size=17063936
12:08:14 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
12:08:15 [INFO] kernel_guid=Some(Win32Guid { file_name: "ntkrnlmp.pdb", guid: "118018959D8D7CA5AAB45B75AED5A9761" })
12:08:15 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
12:08:16 [INFO] trying to find NtBuildNumber export
12:08:16 [INFO] NtBuildNumber found at 0xc11f68
12:08:16 [INFO] trying to find RtlGetVersion export
12:08:16 [INFO] RtlGetVersion found at 0x6fd880
12:08:16 [INFO] nt_build_number: 4026550882
12:08:16 [INFO] kernel version: 10.0.19042
12:08:16 [INFO] kernel_winver=Win32Version { nt_major_version: 10, nt_minor_version: 0, nt_build_number: 4026550882 }
Running "process_list" from memflow/memflow-ffi/examples/c is unable to find ntoskrnl.exe with va hint:
LeechCore v2.10.0: Open Device: fpga
connector initialized: 0x565517542980
12:09:24 [INFO] attempting to load `OS` type plugin `win32` from `/home/mpekar/.local/lib/memflow/libmemflow_win32.7.so`
12:09:24 [INFO] Building kernel of type memflow_win32::win32::kernel_builder::Win32KernelBuilder<memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::mem::virt_translate::cache::CachedVirtualTranslate<memflow::mem::virt_translate::direct_translate::DirectTranslate, memflow::types::cache::timed_validator::TimedCacheValidator>>
12:09:24 [INFO] arch=X86(64, false) kernel_hint=fffff800347f3480 dtb=1ad000
12:09:24 [DEBUG] (1) memflow_win32::kernel::ntos::x64: x64::find_with_va_hint: trying to find ntoskrnl.exe with va hint at fffff800347f3480
12:09:24 [WARN] x64::find_with_va_hint() error: oslayer: process not found
12:09:24 [DEBUG] (1) memflow_win32::kernel::ntos::x64: x64::find: trying to find ntoskrnl.exe with page map
I don't really know why/how this can happen, maybe I'm just missing something?
I tested it too and saw a regression in the pcileech connector from after 0.2.0-beta1. I'll investigate and report back when it's fixed on the pcileech side.
Edit: However it should always fail or work (unless u have page outs occuring in between, but then it should stop working from there on out)
Can you give the latest version a try (after this commit: memflow/memflow-pcileech@963953c) and report back please?
Thanks for the fast response! It looks like it's working now.
Output from "process_list" (ffi example):
FPGA: TINY PCIe TLP algrithm auto-selected!
LcMemMap_AddRange: 0000000000000000-000000000009ffff -> 0000000000000000
LcMemMap_AddRange: 0000000000100000-000000083f37ffff -> 0000000000100000
LeechCore v2.10.0: Open Device: fpga
connector initialized: 0x55783cd02450
18:41:10 [INFO] attempting to load `OS` type plugin `win32` from `/home/mpekar/.local/lib/memflow/libmemflow_win32.7.so`
18:41:10 [INFO] Building kernel of type memflow_win32::win32::kernel_builder::Win32KernelBuilder<memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::mem::virt_translate::cache::CachedVirtualTranslate<memflow::mem::virt_translate::direct_translate::DirectTranslate, memflow::types::cache::timed_validator::TimedCacheValidator>>
18:41:10 [INFO] arch=X86(64, false) kernel_hint=fffff805177f3480 dtb=1ad000
18:41:11 [DEBUG] (1) memflow_win32::kernel::ntos::x64: x64::find_with_va_hint: trying to find ntoskrnl.exe with va hint at fffff805177f3480
18:41:11 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 307200 bytes.
18:41:11 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 57344 bytes.
18:41:11 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 69632 bytes.
18:41:11 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 49152 bytes.
18:41:11 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
18:41:12 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: try_get_pe_name: found pe header for ntoskrnl.exe
18:41:12 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
18:41:12 [INFO] base=fffff80517400000 size=17063936
18:41:12 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
18:41:13 [INFO] kernel_guid=Some(Win32Guid { file_name: "ntkrnlmp.pdb", guid: "118018959D8D7CA5AAB45B75AED5A9761" })
18:41:13 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
18:41:14 [INFO] trying to find NtBuildNumber export
18:41:14 [INFO] NtBuildNumber found at 0xc11f68
18:41:14 [INFO] trying to find RtlGetVersion export
18:41:14 [INFO] RtlGetVersion found at 0x6fd880
18:41:14 [INFO] nt_build_number: 4026550882
18:41:14 [INFO] kernel version: 10.0.19042
18:41:14 [INFO] kernel_winver=Win32Version { nt_major_version: 10, nt_minor_version: 0, nt_build_number: 4026550882 }
18:41:14 [DEBUG] (1) memflow_win32::kernel::sysproc: trying to find system eprocess
18:41:14 [DEBUG] (1) memflow_win32::kernel::ntos::pehelper: found pe header for image with a size of 17063936 bytes.
18:41:15 [INFO] PsInitialSystemProcess found at 0xfffff805180fb420
18:41:15 [INFO] eprocess_base=ffffbc08eee89200
18:41:15 [INFO] start_block.dtb=1ad000
18:41:15 [INFO] reading pdb from local cache: /home/mpekar/.cache/memflow/ntkrnlmp.pdb/118018959D8D7CA5AAB45B75AED5A9761
18:41:15 [INFO] updating connector mem_map=MemoryMapping: base=1000 size=9f000 real_base=1000
MemoryMapping: base=100000 size=99ff000 real_base=100000
MemoryMapping: base=a000000 size=200000 real_base=a000000
MemoryMapping: base=a20e000 size=df2000 real_base=a20e000
MemoryMapping: base=b020000 size=aee78000 real_base=b020000
MemoryMapping: base=bdbff000 size=1401000 real_base=bdbff000
MemoryMapping: base=100000000 size=73f380000 real_base=100000000
18:41:15 [INFO] updating sysproc_dtb=1ad000
os plugin initialized: (nil)
Pid NAME ADDRESS MAIN_MODULE
zsh: segmentation fault (core dumped)
It looks like it crashes because "inventory_create_os" returned a null instance but I'll take another look maybe I did something wrong trying to re-compile memflow.
Thank you guys for memflow, it's a really cool and versatile project!
With the latest commits everything is working perfectly fine! 👍