winpmem for windows

756 views
Skip to first unread message

David Nides

unread,
Aug 26, 2014, 2:01:31 PM8/26/14
to rekall-...@googlegroups.com
Hi Michael, et. all,

Hope all is well.

I am trying to give Rekall a whirl, against a live system. I understand I need to use winpmem to expose memory as step one. I would prefer to use Python to do this instead of the EXE, as I might incorporate this into a script we use for IR. So, I tried following the directions from the Readme:  

c:\..> winpmem.py -d binaries\amd64\winpmem.sys -l
Loaded the winpmem driver. You can now attach rekall to \\.\pmem

However, the following directory containing the driver is not present : "binaries\amd64\winpmem.sy". I double checked the source repo and also see references to this same folder on the forensic wiki and other places. 

Where do I get this file from?

Thanks!!

Michael Cohen

unread,
Aug 26, 2014, 3:45:37 PM8/26/14
to David Nides, rekall-...@googlegroups.com
Hi David,
We no longer ship the drivers separately - there is an option in the
winpmem binary to just extract the driver from the binary (-d) and
exit. You might just consider shelling outo winpmem_1.6.0 -l to just
unpack and install the driver, and then you can open the device from
python.

Michael.
> --
> You received this message because you are subscribed to the Google Groups
> "rekall-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rekall-discus...@googlegroups.com.
> To post to this group, send email to rekall-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

David Nides

unread,
Aug 26, 2014, 3:51:57 PM8/26/14
to Michael Cohen, rekall-...@googlegroups.com
Thanks for the quick reply. So regarding the EXE, where do I get the latest version? I see you include the source in the repo but when I try to compile it I get the follow error:

1>------ Build started: Project: Winpmem, Configuration: Debug Win32 ------
1>Compiling...
1>cl : Command line warning D9035 : option 'Wp64' has been deprecated and will be removed in a future release
1>main.cpp
1>c:\rekall\tools\windows\winpmem\executable\winpmem.h(4) : fatal error C1083: Cannot open include file: 'stdint.h': No such file or directory
1>Build log was saved at "file://c:\rekall\tools\windows\winpmem\executable\Debug\BuildLog.htm"
1>Winpmem - 1 error(s), 1 warning(s)
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

David Nides

unread,
Aug 26, 2014, 3:58:33 PM8/26/14
to Michael Cohen, rekall-...@googlegroups.com
 I found the latest version on the download page - http://www.rekall-forensic.com/downloads.html


David Nides

unread,
Aug 26, 2014, 4:05:42 PM8/26/14
to Michael Cohen, rekall-...@googlegroups.com
Looks like something is not working or I am doing it wrong. Can you please take a look at the commands below?

C:\rekall\tools\windows\winpmem>winpmem_1.6.0.exe -d winpmem.sys
Extracting driver to C:\rekall\tools\windows\winpmem\winpmem.sys

C:\rekall\tools\windows\winpmem>winpmem.py -l winpmem.sys
You must specify a valid driver file.

Michael Cohen

unread,
Aug 26, 2014, 6:50:50 PM8/26/14
to David Nides, rekall-...@googlegroups.com
Hi David,
Im not sure why your build process is failing. stdint.h is a
standard include which should be available in the msvc environment -
are you using msvc10? Thats the version I am using.

The python code is really a POC and is not recommended for general
use. There are a couple of subtle problems you will need to fix due to
the way windows services work. For example if you create a service -
even with different parameters, and that same service name exist - the
create will fail and you need to delete the existing service and then
retry to create it again. But this is really tricky because if the
service is still running the delete will fail and you need to stop the
service first!

Maybe the solution is to just create the service with a random name
and bypass all this trouble.

This is not handled properly in the POC code. I suggest you check out
the logic in the C program and replicate it re- the service handling.

```
# Make sure the service is stopped and deleted before running the load.
c:\cygwin\home\mic\projects\rekall\tools\windows\winpmem>sc stop pmem

SERVICE_NAME: pmem
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

c:\cygwin\home\mic\projects\rekall\tools\windows\winpmem>sc delete pmem
[SC] DeleteService SUCCESS

c:\cygwin\home\mic\projects\rekall\tools\windows\winpmem>winpmem.py -l
-d winpmem.sys
Loaded the winpmem driver. You can now attach volatility to \\.\pmem
CR3: 0x187000 (1601536)
KPCR00: 0xfffff80002a58d00 (18446735277660933376)
KernBase: 0xfffff80002868000 (18446735277658898432)
NtBuildNumber: 0x001db1 (7601)
NumberOfRuns: 0x000002 (2)
Memory ranges:
Start End Length
0x1000 0x9F000 0x9E000
0x100000 0xBFFF0000 0xBFEF0000
```

Hope this helps,
Michael.

David Nides

unread,
Aug 27, 2014, 5:18:20 PM8/27/14
to Michael Cohen, rekall-...@googlegroups.com
Ok that was the trick. I believe I have winpmem working now. However when I go to try running a command in rekall I get an error like below. The system I am running this on (live) is Windows 8.1 x64. 

C:\rekall>rekall -f \\.\pmem imageinfo
Traceback (most recent call last):
  File "C:\Python27\Scripts\rekall-script.py", line 9, in <module>
    load_entry_point('rekall==1.0.3', 'console_scripts', 'rekall')()
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\rekal.py", line 122, in main
    flags = args.parse_args(argv=argv, user_session=user_session)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\args.py", line 253, in parse_args
    LoadProfileIntoSession(parser, argv, user_session)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\args.py", line 219, in LoadProfileIntoSession
    state.Set("logging", "warn")
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 242, in __exit__
    hook()
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 170, in _set_filename
    profile_parameter = self.session.GetParameter("profile")
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 404, in GetParameter
    result = self._RunParameterHook(item)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 424, in _RunParameterHook
    result = hook.calculate()
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 270, in calculate
    return self.ScanProfiles()
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 174, in ScanProfiles

    "nt/GUID/%s" % rsds.GUID_AGE)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 123, in VerifyWinPro
file
    return self.ApplyFindDTB(win_common.WinFindDTB, profile)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 132, in ApplyFindDTB

    find_dtb_plugin = find_dtb_cls(session=self.session)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\registry.py", line 56, in __call__
    res = super(UniqueObjectIdMetaclass, cls).__call__(*args, **kwargs)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\windows\common.py", line 112, in __init__
    super(WinFindDTB, self).__init__(**kwargs)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugin.py", line 245, in __init__
    super(PhysicalASMixin, self).__init__(**kwargs)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugin.py", line 181, in __init__
    raise PluginError("Profile not specified. (use vol(plugins.info) "
rekall.plugin.PluginError: Profile not specified. (use vol(plugins.info) to see available profiles.).

C:\rekall>

Michael Cohen

unread,
Aug 27, 2014, 5:51:26 PM8/27/14
to David Nides, rekall-...@googlegroups.com
Hi David,
Rekall does not find the profile for your system in the public
repository. Please run the following command and paste here:

C:\rekall>rekall -f \\.\pmem version_scan --name_regex "(krnl|tcpip|win32k)"

You can also follow the faq:
http://www.rekall-forensic.com/faq.html

to build your own profiles.

Thanks
Michael.

David Nides

unread,
Aug 27, 2014, 6:17:22 PM8/27/14
to Michael Cohen, rekall-...@googlegroups.com
Thanks again for your help. Here is the output (error) I got from this:

C:\rekall>rekall -f \\.\pmem version_scan --name_regex "(krnl|tcpip|win32k)"

Michael Cohen

unread,
Aug 27, 2014, 6:20:56 PM8/27/14
to David Nides, Michael Cohen, rekall-...@googlegroups.com
Argh sorry - Obviously it tries to guess a profile but it cant - you
need to specify --profile None to make it not guess:

C:\rekall>rekall -f \\.\pmem --profile None version_scan --name_regex
"(krnl|tcpip|win32k)"

David Nides

unread,
Aug 27, 2014, 6:24:44 PM8/27/14
to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com
Strange .. same..

C:\rekall>rekall -f \\.\pmem version_scan --profile None --name_regex "(krnl|tcpip|win32k)"

Michael Cohen

unread,
Aug 27, 2014, 6:36:49 PM8/27/14
to David Nides, Michael Cohen, rekall-...@googlegroups.com
Hi David,
The --profile option must come before the plugin name since its a
global option (plugin options come after the plugin name):

C:\rekall>rekall -f \\.\pmem --profile None version_scan --name_regex
"(krnl|tcpip|win32k)"


Also you can use the -v global option to get more verbose debug messages.

David Nides

unread,
Aug 27, 2014, 6:45:46 PM8/27/14
to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com
Alright cool. Now we are getting somewhere..

C:\rekall>rekall -f \\.\pmem --profile None version_scan --name_regex "(krnl|tcpip|win32k)"
  Offset (P)             GUID/Version                        PDB
-------------- -------------------------------- ------------------------------
0x000002fd1c98 DE2E52603FFB406D9052C8D884A1AD722 wshtcpip.pdb
0x00006c2a6b60 E2E39D030D3D4F63964E29CDB3833BFD1 ntoskrnl.pdb
0x00010ae0a380 D495C28BADD44E639AE223FBDF9108752 win32k.pdb
0x00013b722278 D67FECD43A49492C87EC845789255D641 ntkrnlmp.pdb
0x00015e087b40 7920E9DD9C8C4DCA9083D8602EEAC0031 ntoskrnl.pdb
0x0002e452b01c B91F1E8B013A41A4951B395C7CF740111 tcpip.pdb
0x00034bf057f4 C30B590040C84C7FB5DF3749E624569A1 ntoskrnl.pdb
0x0003cebe23b8 5DAF4A45ECAA4DE9B4CA8998CEB472442 tcpip.pdb
0x0004300619a0 39DC5D0E86C64D748CD476B528FCAAB92 tcpipreg.pdb
0x000430c58574 7F4370C3243D4B96A105CB82C545C2C71 dxgkrnl.pdb
0x00043128927c 40BA75DB9AC941C196345ABE68EBA2572 tcpip.pdb

C:\rekall>

Michael Cohen

unread,
Aug 27, 2014, 6:52:29 PM8/27/14
to David Nides, Michael Cohen, rekall-...@googlegroups.com
Hi David,
You kernel version is D67FECD43A49492C87EC845789255D641 which is
already in the repository. Can you please re-run with the -v flag to
see why its not using it?

Thanks
Michael.

David Nides

unread,
Aug 27, 2014, 6:55:31 PM8/27/14
to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com
I went ahead and tried to pull down the file to start the process of creating a profile..

C:\rekall>rekall --debug fetch_pdb --dump-dir c:\rekall\ --filename ntkrnlmp.pdb --guid D67FECD43A49492C87EC845789255D64
1
Received 1091105 bytes
ERROR:root:Traceback (most recent call last):
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 492, in _RunPlugin
    plugin_obj.render(ui_renderer)
  File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\tools\mspdb.py", line 183, in render
    cwd=self.dump_dir)
  File "C:\Python27\lib\subprocess.py", line 535, in check_call
    retcode = call(*popenargs, **kwargs)
  File "C:\Python27\lib\subprocess.py", line 522, in call
    return Popen(*popenargs, **kwargs).wait()
  File "C:\Python27\lib\subprocess.py", line 709, in __init__
    errread, errwrite)
  File "C:\Python27\lib\subprocess.py", line 957, in _execute_child
    startupinfo)
WindowsError: [Error 2] The system cannot find the file specified

> c:\python27\lib\subprocess.py(957)_execute_child()
-> startupinfo)
(Pdb)

David Nides

unread,
Aug 27, 2014, 6:58:27 PM8/27/14
to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com
This sufficient?

C:\rekall>rekall -v -f \\.\pmem imageinfo
DEBUG:root:Voting round
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.macho.MACHOCoreDump'>
DEBUG:root:Failed instantiating MACHOCoreDump: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.vmem.VMemAddressSpace'>
DEBUG:root:Failed instantiating VMemAddressSpace: No base address space provided
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.amd64.VTxPagedMemory'>
DEBUG:root:Failed instantiating VTxPagedMemory: No base Address Space
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashBMP'>
DEBUG:root:Failed instantiating WindowsCrashBMP: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG:root:Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG:root:Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.vboxelf.Elf64CoreDump'>
DEBUG:root:Failed instantiating Elf64CoreDump: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.win32.Win32FileAddressSpace'>
DEBUG:root:Succeeded instantiating Win32FileAddressSpace
DEBUG:root:Voting round
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.macho.MACHOCoreDump'>
DEBUG:root:Failed instantiating MACHOCoreDump: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.vmem.VMemAddressSpace'>
DEBUG:root:Failed instantiating VMemAddressSpace: Only VMEM files supported.
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.amd64.VTxPagedMemory'>
DEBUG:root:Failed instantiating VTxPagedMemory: No EPT specified
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashBMP'>
DEBUG:root:Failed instantiating WindowsCrashBMP: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG:root:Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG:root:Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.vboxelf.Elf64CoreDump'>
DEBUG:root:Failed instantiating Elf64CoreDump: Header signature invalid
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.win32.Win32FileAddressSpace'>
DEBUG:root:Failed instantiating Win32FileAddressSpace: Must be first Address Space
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG:root:Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG:root:Trying <class 'rekall.plugins.addrspaces.mmap_address_space.MmapFileAddressSpace'>
DEBUG:root:Failed instantiating MmapFileAddressSpace: Must be first Address Space
INFO:root:Autodetected physical address space Win32FileAddressSpace
DEBUG:root:Verifying profile nt/GUID/E2E39D030D3D4F63964E29CDB3833BFD1
DEBUG:root:Skipped profile nt/GUID/E2E39D030D3D4F63964E29CDB3833BFD1 from https://raw.githubusercontent.com/google/rekal
l-profiles/master/v1.0 (Not in inventory)
DEBUG:root:Skipped profile nt/GUID/E2E39D030D3D4F63964E29CDB3833BFD1 from http://profiles.rekall-forensic.com/v1.0 (Not
in inventory)

Michael Cohen

unread,
Aug 27, 2014, 7:13:52 PM8/27/14
to David Nides, Michael Cohen, rekall-...@googlegroups.com
You cant run this command on windows since it tries to shell out to
"cabextract" to extract the cab file which it downloaded from MS. Do
you know if there is an equivalent tool on windows which will unpack a
cab file?

David Nides

unread,
Aug 27, 2014, 10:36:16 PM8/27/14
to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages