Fatal Error on Win 10 Business N

[affinitasglobal]

Hi,
I ran the executable from admin command prompt and consistently get the following failure:

_runtime: sp=0xc041681330 stack=[0xc041680000, 0xc061680000]
fatal error: stack overflow

runtime stack:
runtime.throw(0x1b3dca1, 0xe)

        /home/mic/build/go/src/runtime/panic.go:1116 +0x79
runtime.newstack()
        /home/mic/build/go/src/runtime/stack.go:1034 +0x6dc
runtime.morestack()
        /home/mic/build/go/src/runtime/asm_amd64.s:449 +0x97_

The run log is attached.
Collector_velociraptor.exe.log

[scudette]

Thanks for reporting...

The logs indicate it seems to happen right after collecting the ServiceEventLogs artifact:

https://github.com/CCXLabs/CCXDigger/blob/master/artifacts/CyberCX/Windows/ServiceEventLogs.yaml#L8

and the stack overflow means it is recursing too much into something (but we dont know what). Does it provide more of a backtrace?

I wonder if it has something to do with the SearchVSS flag - do you have a lot of VSS copies on your system?

[affinitasglobal]

Thanks for the quick reply,
I don't have any volume shadow copies on this system:

#vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

No items found that satisfy the query.

This is a testing laptop with a small ssd disk that is generally close to being full most of the time. It has a 3Tb external hdd (usb) pretty much permanently attached (and was attached at the time of the test) and has a mapped drive to a samba fileserver.

I've attached the full console output when the tool is run.
ccxdigger_output.txt

[affinitasglobal]

I located the following in an event log on the device:

Fault bucket 1290616852963470374, type 5
Event Name: RADAR_PRE_LEAK_64
Response: Not available
Cab Id: 0

Problem signature:
P1: CyberCX_Digger_0.1.exe
P2: 0.0.0.0
P3: 10.0.19041.2.0.0
P4: 
P5: 
P6: 
P7: 
P8: 
P9: 
P10: 

Attached files:
\\?\C:\Users\STUART~1\AppData\Local\Temp\RDRDDCE.tmp\empty.txt
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDDF.tmp.WERInternalMetadata.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDFF.tmp.xml
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE1D.tmp.csv
\\?\C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE4C.tmp.txt

These files may be available here:


Analysis symbol: 
Rechecking for solution: 0
Report Id: de930e8d-1686-4231-a76f-ab6cdc43ae17
Report Status: 268435456
Hashed bucket: 2313295924243fb631e9313096052c26
Cab Guid: 0

This was generated around the time I first ran the tool yesterday. A similar entry has not been created however when I ran the tool to get the console output this morning.

I should have mentioned that this laptop is Azure AD joined as I have been testing various security options.

[scudette]

Thanks for the error report - very detailed. I think I have a fix but I am finding it hard to replicate on a real system.

[affinitasglobal]

I'd be happy to do any testing you need on this device if that would help?

[scudette]

Thanks that would be great!

You can rebuild the collector with the CCXLabs artifacts like this:

1. Grab the latest Velociraptor release from https://github.com/Velocidex/velociraptor (https://github.com/Velocidex/velociraptor/releases/download/v0.5.0/velociraptor-v0.5.0-windows-amd64.exe)
2. Start the local gui by running velociraptor-v0.5.0-windows-amd64.exe gui
3. Download the artifact pack from the CCXLabs github https://github.com/CCXLabs/CCXDigger/archive/master.zip (Click the download zip from the dropdown in the "Code" button on the main project page).
4. Import the artifacts to Velociraptor GUI (Select View Artifacts from the sidebar and then upload artifact pack)
5. You can build a new collector - select "Server Artifacts" from the sidebar and then "Build Offline collector"
6. Include the CyberCX artifacts in your collector.

You can also just collect the same artifacts directly from the client (The velociraptor gui command starts a server + a local client). So if you click the search bar you can see your local client then simply select "collected artifacts` from the sidebar and add new collection and select one of the CyberCX artifacts.