winpmem for windows

David Nides

unread,

Aug 26, 2014, 2:01:31 PM8/26/14

to rekall-...@googlegroups.com

Hi Michael, et. all,

Hope all is well.

I am trying to give Rekall a whirl, against a live system. I understand I need to use winpmem to expose memory as step one. I would prefer to use Python to do this instead of the EXE, as I might incorporate this into a script we use for IR. So, I tried following the directions from the Readme:

c:\..> winpmem.py -d binaries\amd64\winpmem.sys -l

Loaded the winpmem driver. You can now attach rekall to \\.\pmem

However, the following directory containing the driver is not present : "binaries\amd64\winpmem.sy". I double checked the source repo and also see references to this same folder on the forensic wiki and other places.

Where do I get this file from?

Thanks!!

Michael Cohen

unread,

Aug 26, 2014, 3:45:37 PM8/26/14

to David Nides, rekall-...@googlegroups.com

Hi David,
We no longer ship the drivers separately - there is an option in the
winpmem binary to just extract the driver from the binary (-d) and
exit. You might just consider shelling outo winpmem_1.6.0 -l to just
unpack and install the driver, and then you can open the device from
python.

Michael.

> --
> You received this message because you are subscribed to the Google Groups
> "rekall-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to rekall-discus...@googlegroups.com.
> To post to this group, send email to rekall-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

David Nides

unread,

Aug 26, 2014, 3:51:57 PM8/26/14

to Michael Cohen, rekall-...@googlegroups.com

Thanks for the quick reply. So regarding the EXE, where do I get the latest version? I see you include the source in the repo but when I try to compile it I get the follow error:

1>------ Build started: Project: Winpmem, Configuration: Debug Win32 ------

1>Compiling...

1>cl : Command line warning D9035 : option 'Wp64' has been deprecated and will be removed in a future release

1>main.cpp

1>c:\rekall\tools\windows\winpmem\executable\winpmem.h(4) : fatal error C1083: Cannot open include file: 'stdint.h': No such file or directory

1>Build log was saved at "file://c:\rekall\tools\windows\winpmem\executable\Debug\BuildLog.htm"

1>Winpmem - 1 error(s), 1 warning(s)

========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

David Nides

unread,

Aug 26, 2014, 3:58:33 PM8/26/14

to Michael Cohen, rekall-...@googlegroups.com

I found the latest version on the download page - http://www.rekall-forensic.com/downloads.html

David Nides

unread,

Aug 26, 2014, 4:05:42 PM8/26/14

to Michael Cohen, rekall-...@googlegroups.com

Looks like something is not working or I am doing it wrong. Can you please take a look at the commands below?

C:\rekall\tools\windows\winpmem>winpmem_1.6.0.exe -d winpmem.sys

Extracting driver to C:\rekall\tools\windows\winpmem\winpmem.sys

C:\rekall\tools\windows\winpmem>winpmem.py -l winpmem.sys

You must specify a valid driver file.

Michael Cohen

unread,

Aug 26, 2014, 6:50:50 PM8/26/14

to David Nides, rekall-...@googlegroups.com

Hi David,
Im not sure why your build process is failing. stdint.h is a
standard include which should be available in the msvc environment -
are you using msvc10? Thats the version I am using.

The python code is really a POC and is not recommended for general
use. There are a couple of subtle problems you will need to fix due to
the way windows services work. For example if you create a service -
even with different parameters, and that same service name exist - the
create will fail and you need to delete the existing service and then
retry to create it again. But this is really tricky because if the
service is still running the delete will fail and you need to stop the
service first!

Maybe the solution is to just create the service with a random name
and bypass all this trouble.

This is not handled properly in the POC code. I suggest you check out
the logic in the C program and replicate it re- the service handling.

```
# Make sure the service is stopped and deleted before running the load.
c:\cygwin\home\mic\projects\rekall\tools\windows\winpmem>sc stop pmem

SERVICE_NAME: pmem
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

c:\cygwin\home\mic\projects\rekall\tools\windows\winpmem>sc delete pmem
[SC] DeleteService SUCCESS

c:\cygwin\home\mic\projects\rekall\tools\windows\winpmem>winpmem.py -l
-d winpmem.sys
Loaded the winpmem driver. You can now attach volatility to \\.\pmem
CR3: 0x187000 (1601536)
KPCR00: 0xfffff80002a58d00 (18446735277660933376)
KernBase: 0xfffff80002868000 (18446735277658898432)
NtBuildNumber: 0x001db1 (7601)
NumberOfRuns: 0x000002 (2)
Memory ranges:
Start End Length
0x1000 0x9F000 0x9E000
0x100000 0xBFFF0000 0xBFEF0000
```

Hope this helps,
Michael.

David Nides

unread,

Aug 27, 2014, 5:18:20 PM8/27/14

to Michael Cohen, rekall-...@googlegroups.com

Ok that was the trick. I believe I have winpmem working now. However when I go to try running a command in rekall I get an error like below. The system I am running this on (live) is Windows 8.1 x64.

C:\rekall>rekall -f \\.\pmem imageinfo

Traceback (most recent call last):

File "C:\Python27\Scripts\rekall-script.py", line 9, in <module>

load_entry_point('rekall==1.0.3', 'console_scripts', 'rekall')()

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\rekal.py", line 122, in main

flags = args.parse_args(argv=argv, user_session=user_session)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\args.py", line 253, in parse_args

LoadProfileIntoSession(parser, argv, user_session)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\args.py", line 219, in LoadProfileIntoSession

state.Set("logging", "warn")

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 242, in __exit__

hook()

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 170, in _set_filename

profile_parameter = self.session.GetParameter("profile")

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 404, in GetParameter

result = self._RunParameterHook(item)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 424, in _RunParameterHook

result = hook.calculate()

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 270, in calculate

return self.ScanProfiles()

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 174, in ScanProfiles

"nt/GUID/%s" % rsds.GUID_AGE)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 123, in VerifyWinPro

file

return self.ApplyFindDTB(win_common.WinFindDTB, profile)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\guess_profile.py", line 132, in ApplyFindDTB

find_dtb_plugin = find_dtb_cls(session=self.session)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\registry.py", line 56, in __call__

res = super(UniqueObjectIdMetaclass, cls).__call__(*args, **kwargs)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\windows\common.py", line 112, in __init__

super(WinFindDTB, self).__init__(**kwargs)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugin.py", line 245, in __init__

super(PhysicalASMixin, self).__init__(**kwargs)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugin.py", line 181, in __init__

raise PluginError("Profile not specified. (use vol(plugins.info) "

rekall.plugin.PluginError: Profile not specified. (use vol(plugins.info) to see available profiles.).

C:\rekall>

Michael Cohen

unread,

Aug 27, 2014, 5:51:26 PM8/27/14

to David Nides, rekall-...@googlegroups.com

Hi David,
Rekall does not find the profile for your system in the public
repository. Please run the following command and paste here:

C:\rekall>rekall -f \\.\pmem version_scan --name_regex "(krnl|tcpip|win32k)"

You can also follow the faq:
http://www.rekall-forensic.com/faq.html

to build your own profiles.

Thanks
Michael.

David Nides

unread,

Aug 27, 2014, 6:17:22 PM8/27/14

to Michael Cohen, rekall-...@googlegroups.com

Thanks again for your help. Here is the output (error) I got from this:

C:\rekall>rekall -f \\.\pmem version_scan --name_regex "(krnl|tcpip|win32k)"

Michael Cohen

unread,

Aug 27, 2014, 6:20:56 PM8/27/14

to David Nides, Michael Cohen, rekall-...@googlegroups.com

Argh sorry - Obviously it tries to guess a profile but it cant - you
need to specify --profile None to make it not guess:

C:\rekall>rekall -f \\.\pmem --profile None version_scan --name_regex
"(krnl|tcpip|win32k)"

David Nides

unread,

Aug 27, 2014, 6:24:44 PM8/27/14

to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com

Strange .. same..

C:\rekall>rekall -f \\.\pmem version_scan --profile None --name_regex "(krnl|tcpip|win32k)"

Michael Cohen

unread,

Aug 27, 2014, 6:36:49 PM8/27/14

to David Nides, Michael Cohen, rekall-...@googlegroups.com

Hi David,
The --profile option must come before the plugin name since its a
global option (plugin options come after the plugin name):

C:\rekall>rekall -f \\.\pmem --profile None version_scan --name_regex
"(krnl|tcpip|win32k)"

Also you can use the -v global option to get more verbose debug messages.

David Nides

unread,

Aug 27, 2014, 6:45:46 PM8/27/14

to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com

Alright cool. Now we are getting somewhere..

C:\rekall>rekall -f \\.\pmem --profile None version_scan --name_regex "(krnl|tcpip|win32k)"

Offset (P) GUID/Version PDB

-------------- -------------------------------- ------------------------------

0x000002fd1c98 DE2E52603FFB406D9052C8D884A1AD722 wshtcpip.pdb

0x00006c2a6b60 E2E39D030D3D4F63964E29CDB3833BFD1 ntoskrnl.pdb

0x00010ae0a380 D495C28BADD44E639AE223FBDF9108752 win32k.pdb

0x00013b722278 D67FECD43A49492C87EC845789255D641 ntkrnlmp.pdb

0x00015e087b40 7920E9DD9C8C4DCA9083D8602EEAC0031 ntoskrnl.pdb

0x0002e452b01c B91F1E8B013A41A4951B395C7CF740111 tcpip.pdb

0x00034bf057f4 C30B590040C84C7FB5DF3749E624569A1 ntoskrnl.pdb

0x0003cebe23b8 5DAF4A45ECAA4DE9B4CA8998CEB472442 tcpip.pdb

0x0004300619a0 39DC5D0E86C64D748CD476B528FCAAB92 tcpipreg.pdb

0x000430c58574 7F4370C3243D4B96A105CB82C545C2C71 dxgkrnl.pdb

0x00043128927c 40BA75DB9AC941C196345ABE68EBA2572 tcpip.pdb

C:\rekall>

Michael Cohen

unread,

Aug 27, 2014, 6:52:29 PM8/27/14

to David Nides, Michael Cohen, rekall-...@googlegroups.com

Hi David,
You kernel version is D67FECD43A49492C87EC845789255D641 which is
already in the repository. Can you please re-run with the -v flag to
see why its not using it?

Thanks
Michael.

David Nides

unread,

Aug 27, 2014, 6:55:31 PM8/27/14

to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com

I went ahead and tried to pull down the file to start the process of creating a profile..

C:\rekall>rekall --debug fetch_pdb --dump-dir c:\rekall\ --filename ntkrnlmp.pdb --guid D67FECD43A49492C87EC845789255D64

1

Trying to fetch http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/D67FECD43A49492C87EC845789255D641/ntkrnlmp.pd_

Received 1091105 bytes

ERROR:root:Traceback (most recent call last):

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\session.py", line 492, in _RunPlugin

plugin_obj.render(ui_renderer)

File "C:\Python27\lib\site-packages\rekall-1.0.3-py2.7.egg\rekall\plugins\tools\mspdb.py", line 183, in render

cwd=self.dump_dir)

File "C:\Python27\lib\subprocess.py", line 535, in check_call

retcode = call(*popenargs, **kwargs)

File "C:\Python27\lib\subprocess.py", line 522, in call

return Popen(*popenargs, **kwargs).wait()

File "C:\Python27\lib\subprocess.py", line 709, in __init__

errread, errwrite)

File "C:\Python27\lib\subprocess.py", line 957, in _execute_child

startupinfo)

WindowsError: [Error 2] The system cannot find the file specified

> c:\python27\lib\subprocess.py(957)_execute_child()

-> startupinfo)

(Pdb)

David Nides

unread,

Aug 27, 2014, 6:58:27 PM8/27/14

to Michael Cohen, Michael Cohen, rekall-...@googlegroups.com

This sufficient?

C:\rekall>rekall -v -f \\.\pmem imageinfo

DEBUG:root:Voting round

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.macho.MACHOCoreDump'>

DEBUG:root:Failed instantiating MACHOCoreDump: Header signature invalid

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.vmem.VMemAddressSpace'>

DEBUG:root:Failed instantiating VMemAddressSpace: No base address space provided

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.amd64.VTxPagedMemory'>

DEBUG:root:Failed instantiating VTxPagedMemory: No base Address Space

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashBMP'>

DEBUG:root:Failed instantiating WindowsCrashBMP: Header signature invalid

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>

DEBUG:root:Failed instantiating WindowsCrashDumpSpace64: Header signature invalid

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>

DEBUG:root:Failed instantiating WindowsCrashDumpSpace32: Header signature invalid

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.vboxelf.Elf64CoreDump'>

DEBUG:root:Failed instantiating Elf64CoreDump: Header signature invalid

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.win32.Win32FileAddressSpace'>

DEBUG:root:Succeeded instantiating Win32FileAddressSpace

DEBUG:root:Voting round

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.macho.MACHOCoreDump'>

DEBUG:root:Failed instantiating MACHOCoreDump: Header signature invalid

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.vmem.VMemAddressSpace'>

DEBUG:root:Failed instantiating VMemAddressSpace: Only VMEM files supported.

DEBUG:root:Trying <class 'rekall.plugins.addrspaces.amd64.VTxPagedMemory'>

DEBUG:root:Failed instantiating VTxPagedMemory: No EPT specified