Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[REQUIRED DLL] Injector timed out for Windows/System32/ntdll.dll #808

Open
Scopemetadata opened this issue Aug 14, 2023 · 6 comments
Open

[REQUIRED DLL] Injector timed out for Windows/System32/ntdll.dll #808

Scopemetadata opened this issue Aug 14, 2023 · 6 comments
Labels
bug Something isn't working

Comments

@Scopemetadata
Copy link

Scopemetadata commented Aug 14, 2023
edited

How to reproduce

Steps to reproduce the behavior:

  1. Install drakcore and drakrun
  2. Execute draksetup ...
  3. Execute draksetup install iso
  4. After install and reaching desktop I closed the vncviewer window.
  5. Run draksetup postinstall
    Following is the output.


`draksetup postinstall 
[2023-08-14 03:12:44,891][INFO] Cleaning up leftovers(if any)
[2023-08-14 03:12:44,892][INFO] Ejecting installation CDs
[2023-08-14 03:12:45,108][INFO] Determined PDB GUID: 684da42a30cc450f81c535b4d18944b12
[2023-08-14 03:12:45,108][INFO] Determined kernel filename: ntkrpamp.pdb
[2023-08-14 03:12:45,108][INFO] Fetching PDB file...
[2023-08-14 03:12:45,129][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443
[2023-08-14 03:12:45,966][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/ntkrpamp.pdb/684da42a30cc450f81c535b4d18944b12/ntkrpamp.pdb HTTP/1.1" 302 0
[2023-08-14 03:12:45,968][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard51.blob.core.windows.net:443
[2023-08-14 03:12:47,509][DEBUG] https://vsblobprodscussu5shard51.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/6EACF8331C3D96544FB890CEDE4DB714C5EC3AC8A085F404301A577BCBE0B8F900.blob?sv=2019-07-07&sr=b&si=1&sig=1GCgR00TXKyIXbXeZsa6JisPnVb956uugXqGVv7Aiw0%3D&spr=https&se=2023-08-15T07%3A25%3A55Z&rscl=x-e2eid-5287eb90-dc8c4821-a89e9487-0d52224c-session-2302bc79-00414a02-a59a913c-e5bf7814 HTTP/1.1" 200 6933504
100%|██████████████████████████████████████| 6.93M/6.93M [00:09<00:00, 729kiB/s]
[2023-08-14 03:12:57,029][INFO] Generating profile out of PDB file...
[2023-08-14 03:13:10,938][INFO] Saving profile...
[2023-08-14 03:13:10,940][INFO] Deleted /var/lib/drakrun/profiles/ntkrpamp.pdb
[2023-08-14 03:13:11,888][INFO] Saving runtime profile...
[2023-08-14 03:13:11,889][INFO] Saving VM snapshot...
[2023-08-14 03:13:11,889][INFO] Saving VM vm-0
Saving to /var/lib/drakrun/volumes/snapshot.sav new xl format (info 0x3/0x0/2034)
xc: info: Saving domain 7, type x86 HVM
xc: Frames: 1044480/1044480  100%frdra
xc: End of stream: 0/0    0%
[2023-08-14 03:13:17,230][INFO] Snapshot was saved succesfully.
[2023-08-14 03:13:17,231][INFO] Snapshotting persistent memory...
[2023-08-14 03:13:17,234][DEBUG] Starting new HTTPS connection (1): drakvuf.cert.pl:443
[2023-08-14 03:13:18,529][DEBUG] https://drakvuf.cert.pl:443 "POST /usage/draksetup HTTP/1.1" 400 None
[2023-08-14 03:13:18,531][ERROR] Failed to send usage report. This is not a serious problem.
Traceback (most recent call last):
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 548, in send_usage_report
    res.raise_for_status()
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/requests/models.py", line 960, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://drakvuf.cert.pl/usage/draksetup
[2023-08-14 03:13:18,631][INFO] Generated VM configuration for vm-1
[2023-08-14 03:13:18,673][INFO] Created bridge drak1
[2023-08-14 03:13:18,764][INFO] Bridge drak1 is up
Formatting '/var/lib/drakrun/volumes/vm-1.img', fmt=qcow2 size=107374182400 backing_file=/var/lib/drakrun/volumes/vm-0.img backing_fmt=qcow2 cluster_size=65536 lazy_refcounts=off refcount_bits=16
[2023-08-14 03:13:19,056][INFO] Restoring VM vm-1
Loading new save file /var/lib/drakrun/volumes/snapshot.sav (new xl fmt info 0x3/0x0/2034)
 Savefile contains xl domain config in JSON format
Parsing config from /etc/drakrun/configs/vm-1.cfg
xc: info: Found x86 HVM domain from Xen 4.16
xc: info: Restoring domainduring
xc: info: Restore successful
xc: info: XenStore: mfn 0xfeffc, dom 0, evt 1
xc: info: Console: mfn 0xfefff, dom 0, evt 2
[2023-08-14 03:13:22,682][INFO] Fetching rekall profile for Windows/System32/ntdll.dll
[2023-08-14 03:14:22,788][INFO] Deleted /var/lib/drakrun/profiles/amd64_ntdll_profile
Traceback (most recent call last):
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 586, in create_rekall_profile
    cmd = injector.read_file(guest_dll_path, local_dll_path)
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/injector.py", line 66, in read_file
    return subprocess.run(injector_cmd, timeout=timeout, capture_output=True)
  File "/usr/lib/python3.8/subprocess.py", line 495, in run
    stdout, stderr = process.communicate(input, timeout=timeout)
  File "/usr/lib/python3.8/subprocess.py", line 1028, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/usr/lib/python3.8/subprocess.py", line 1869, in _communicate
    self._check_timeout(endtime, orig_timeout, stdout, stderr)
  File "/usr/lib/python3.8/subprocess.py", line 1072, in _check_timeout
    raise TimeoutExpired(
subprocess.TimeoutExpired: Command '['injector', '-o', 'json', '-d', 'vm-1', '-r', '/var/lib/drakrun/profiles/kernel.json', '-i', '1476', '-k', '0x185000', '-m', 'readfile', '-e', 'C:\\Windows\\System32\\ntdll.dll', '-B', '/var/lib/drakrun/profiles/amd64_ntdll_profile']' timed out after 60 seconds

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/bin/draksetup", line 5, in <module>
    ds.main()
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/click/core.py", line 1259, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 817, in postinstall
    create_missing_profiles()
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 864, in create_missing_profiles
    create_rekall_profile(injector, profile, True)
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 633, in create_rekall_profile
    on_create_rekall_profile_failure(
  File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 570, in on_create_rekall_profile_failure
    raise Exception(f"[REQUIRED DLL] {msg}") from exception
Exception: [REQUIRED DLL] Injector timed out for Windows/System32/ntdll.dll`

checking xl list does not show vm-0 either only domain-0 and vm-1.

Running drakplayground 0 Outputs failed to restore VM vm-0

Re running draksetup postinstall says vm-0 is not running either and health check is passing successfully.
@Scopemetadata Scopemetadata added the bug Something isn't working label Aug 14, 2023
@Scopemetadata
Copy link
Author

Scopemetadata commented Aug 14, 2023
edited

This is on ubuntu 20. Also if I try to re run draksetup install isofile, The error encountered is failed to get "write" lock. Is another process using the image /var/lib/drakrun/volumes/vm-0.img

@psrok1 psrok1 mentioned this issue Aug 14, 2023
Closed
@psrok1
Copy link
Member

psrok1 commented Aug 14, 2023
edited

Hi! What version of Drakvuf do you use? This might be caused by an issue that is discussed here: tklengyel/drakvuf#1639.

@Scopemetadata
Copy link
Author

@psrok1 I'm using DRAKVUF Sandbox v0.18.2, I downloaded the files from sandbox github but the timeout issue remains regardless.

@psrok1
Copy link
Member

psrok1 commented Aug 14, 2023

Ok, I see that you have problems with vm-0. Can you paste complete log from drakplayground 0? It might be also helpful to see logs from /var/log/xen/qemu-dm-vm-0.log and xl-vm-0.log

@Scopemetadata
Copy link
Author

Scopemetadata commented Aug 15, 2023
edited

I nuked the instance and re did everything, the documentation itself is missing alot of things, secondly after running the post install command I am getting the issue below

#562

This should have been fixed but its still happening.

@psrok1 psrok1 mentioned this issue Sep 13, 2023
Open
@sim1e097cd
Copy link

sim1e097cd commented Jan 29, 2024
edited

This can be solved by adding libxenforeignmemory.so.1.4 and creating a symlink for drakvuf library file located at /usr/lib/x86_64-linux-gnu/libxenforeignmemory.so.1
ln -s libxenforeignmemory.so.1.4 libxenforeignmemory.so.1
In addition to that you have to increase the timeout of the read_file function in /opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/injector.py.
In my case was enough
def read_file( self, remote_path: str, local_path: str, timeout: int = 600 ) -> subprocess.CompletedProcess:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@psrok1 @sim1e097cd @Scopemetadata