Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WinPmem produces empty RAW Dump #55

Open
Cameron-Boyd opened this issue Jul 9, 2024 · 8 comments
Open

WinPmem produces empty RAW Dump #55

Cameron-Boyd opened this issue Jul 9, 2024 · 8 comments

Comments

@Cameron-Boyd
Copy link

Hello guys,
when using the 64-bit Executable from the releases on a device it loads and unloads the driver. Then straight away creates a RAW Dump with the Size of 0 Bytes and exits. The cmd.exe is running elevated. Is there a good reason for this or is this a bug?

This is the STDOUT:

C:\Users\TestAccount\Downloads>.\winpmem_mini_x64_rc2.exe dumper.raw
WinPmem64
Extracting driver to C:\Users\WDAGUtilityAccount\AppData\Local\Temp\pme65F.tmp
Driver Unloaded.
Deleting C:\Users\WDAGUtilityAccount\AppData\Local\Temp\pme65F.tmp
Driver Unloaded.

C:\Users\TestAccount\Downloads>
@scudette
Copy link
Contributor

scudette commented Jul 9, 2024

Can you please try the binary built in #53 I found it works a bit better than the release

@wallrik
Copy link

wallrik commented Aug 11, 2024

It's extracting under WDAGUtilityAccount (Windows Defender Application Guard). Could it be blocked, perhaps?

@vivianezw
Copy link
Collaborator

@wallrik Hey, a damn good observation, I didn't notice until you mentioned it. Odd.

Hm. The print verbosity of the usermode app could really be better and ought to be worked over.

@JeetDSharma
Copy link

Any fixes found on this? I am facing the same issue.

@Cameron-Boyd
Copy link
Author

Any fixes found on this? I am facing the same issue.

I used the built mentioned by @scudette and that worked :)

@vivianezw
Copy link
Collaborator

vivianezw commented Nov 12, 2024
edited
Loading

Yes, and for everybody else reading, I think we are planning to release a new version that addresses some issues of the past. For now the built mentioned or compiling self from current source addresses most issues.

On an Azure machine or a high tech hardware server + very modern Windows server, please stick to physical memory method. It might be a level 5 paging system. The upcoming version will correctly recognize this.
@edit: to be more precise: a system with around 256 TB or more physical memory. If you have that, level 5 might be active and then you have "ntkrla57.exe" in System32 folder. (You can check for this, but only bother when you have that much memory.)

@scudette
Copy link
Contributor

Can you also test the go user space app. This is likely to be the most supported going forward

@JeetDSharma
Copy link

@vivianezw do let me know if I can contribute to this project on any issue, I would love to see this open source project expand. Although I don't have much experience, I would like to contribute in any way possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@scudette @wallrik @vivianezw @JeetDSharma @Cameron-Boyd