Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libdrakvuf initialization failed #427

Closed
toswi opened this issue Jul 12, 2018 · 1 comment
Closed

libdrakvuf initialization failed #427

toswi opened this issue Jul 12, 2018 · 1 comment
Labels
question

Comments

@toswi
Copy link

toswi commented Jul 12, 2018

I tried the installation of drakvuf multiple times on debian stretch and testing.
vmi-process-list works in most cases except when the VM seems to be under heavy load then it throws the "Failed to init LibVMI library." error.
However, I never got drakvuf really working. I followed the tutorial and also played a bit around with the settings and it worked only once with the most recent version using xen 4.11. Yet after doing a complete reinstallation of debian and drakvuf the issue is the same. Never change a running system ... Enabling the debug-option also did not really help. Output is:

DRAKVUF v0.6-8398ec9
Starting DRAKVUF initialization
drakvuf_event_fd_add fd=10
size of list=1
regenerating event_fds and fd_info_lookup...
new event_fd i=0 for fd=10
new fd_info_lookup i=0 for fd=10
drakvuf_init: adding event_fd done
libdrakvuf initialization failed
Failed to initialize DRAKVUF

Any ideas for further debugging? I'm also wondering how valid the install instructions still are since they were based on debian jessie. I used mostly the ones from drakvuf.com but there is also another one here: https://isec.ne.jp/wp-content/uploads/2017/08/18DRAKVUF.pdf showing slightly different packages and installation workflow.
In some other issues like #377 it was mentioned different python versions could help though I could not find anything in the instructions regarding new python versions.
Altp2m is also enabled in GRUB as well as the vm.cfg.
/etc/default/grub has:

GRUB_CMDLINE_XEN_DEFAULT="dom0_mem=2048M,max:2048M dom0_max_vcpus=2 dom0_vcpus_pin=true hap_1gb=false hap_2mb=false altp2m=1"

vm.cfg:

name = "vm"
arch = 'x86_64'
maxmem = 1024
memory = 1024
vcpus = 2
maxcpus = 2
acpi = 1
on_poweroff = "destroy"
on_reboot = "destroy"
on_crash = "destroy"
audio=1
usb = 1
usbdevice = "tablet"
soundhw = 'hda'
builder = "hvm"
boot = "cd"
disk = [ "/home/user/vm.qcow2,qcow2,hdc,rw" ]
altp2m = 2
shadow_memory = 16
hap=1
vnc=1
vnclisten="0.0.0.0"

Host and guest kernel are 4.9.0-6 from debian stable.

I'm also wondering why the debugging output is rather short compared to other people here. It doesn't show stuff like altp2m, maxmem etc.
@tklengyel
Copy link
Owner

The instructions are valid as of stretch too but of course you might need to tweak them to match your distribution. The python and Rekall related changes are already reflected in the instructions. Your log is indeed short. I suggest you try to update to the latest version of both DRAKVUF and LibVMI and see if you still have the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tklengyel @toswi