Why is the name of syscall unknown?

[snbst-git]

Hi @Wenzel , sorry for bothering you again.
But I have no idea what happened and how to solve the problem. So I have no choice but to ask you for help, I just want to know:

• Did you ever meet this problem?
• Would you please give me some suggestions?

Problem

All in all, in all the result of syscall, the filed "full_name"="Table0!Unknown" or "Table1!Unknown", and so "name"="Unknown".
This is the screenshot of nitro's output.

Something might help

I read the code in nitro/backends/windows/backend.py, and I think this problem could be caused by the incorrect result of nitro/backends/windows/get_symbols.py as follow:

As is in the code, the full names of syscall should have been loaded from the output of get_symbols.py, in the filed syscall_table. However in my result, there is not any syscall's name.

Also I have to emphasize that my rekall works not really well as I mentioned in #77 . When I analyze an image dumped manually, the process list is empty.

---

From the bottom of my heart, thank you again for help!

[Wenzel]

The syscall name is not not found in the table, so there is a KeyError:

nitro/nitro/backends/windows/backend.py

Line 192 in 386629c

syscall_name = 'Table{}!Unknown'.format(idx)

you need to look at the JSON profile, and look at the code and see what is wrong there

[snbst-git]

@Wenzel Thank you for replying so quickly!

you need to look at the JSON profile, and look at the code and see what is wrong there

So it’s still a problem of profile?
I’m now using an older version of Windows7 with GUID 2E37F962D699492CAAF3F9F4E9770B1D2.
And I try 2 profiles as follow.

Rekall profile repository

There is still an online repository of rekall profiles:https://github.com/google/rekall-profiles/tree/gh-pages/v1.0/nt/GUID So I simply downloaded it all and chose the profile matched my virtual machine.

Rekall fetch_pdb and parse_pdb

Rekall offers plugins to generate profile manually, which you must have already used before. So I fetched the ntkrlmp with GUID 2E37F962D699492CAAF3F9F4E9770B1D2, and parsed it to generate my profile.

Compare

The two profiles are not the same. But both of them result in the same “Unknown” syscall.

——
So it is exactly the profile result in this problem?
If it’s true, is there any other way to find a correct profile?

[Wenzel]

I dont know what the problem is,
you need to look at the code and debug it when it is loading the profile to figure out what's wrong.

[snbst-git]

@Wenzel I understand, I’ll try to debug it.
Wish it’s the last time to bother you.
Thank you for suggestion!

[snbst-git]

Hi @Wenzel , I've figured it out.
It's just because the net connection with Microsoft failed.

---

I found this problem when manually called the ssdt plugin in rekall interactive shell which printed some useful information. I don't know why rekall still need to fetch pdb file from Microsoft's server even I already set a local profile.

Although sometimes it still ends with the error "process not found", but mostly nitro works well.

---

Thank you for the help!

(And also sorry for such a meaningless problem.)