issue using winpmem #22
Comments
|
I have no idea what pcm.exe is and what it does? Are you able to load the driver using |
|
This is what I get when running the winpmem.exe -l command:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>winpmem.exe -l
WinPmem64
Extracting driver to C:\Users\User\AppData\Local\Temp\pme7563.tmp
Driver Unloaded.
Loaded Driver C:\Users\User\AppData\Local\Temp\pme7563.tmp.
Deleting C:\Users\User\AppData\Local\Temp\pme7563.tmp
…On Mon, Nov 23, 2020 at 7:56 PM Mike Cohen ***@***.***> wrote:
I have no idea what pcm.exe is and what it does? Are you able to load the
driver using winpmem.exe -l ?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHPVNJX3FYWYXLWZKZ6ETO3SRMADVANCNFSM4UAFNJLA>
.
--
Regards,
Zineb
|
|
Cool looks like it is working - can you take a memory image? you can see the driver is installed using sc: |
|
here is the outpu:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>sc.exe query
winpmem
SERVICE_NAME: winpmem
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
…On Mon, Nov 23, 2020 at 8:24 PM Mike Cohen ***@***.***> wrote:
Cool looks like it is working - can you take a memory image?
you can see the driver is installed using sc:
sc.exe query wimpmem
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHPVNJWMVK7SIHK5D7EXHCDSRMDN3ANCNFSM4UAFNJLA>
.
--
Regards,
Zineb
|
|
So why is the state stopped?
Aslo how to take a memory image please?
On Mon, Nov 23, 2020 at 8:41 PM Zineb Benameur-El Youbi <[email protected]>
wrote:
… here is the outpu:
C:\Users\User\Desktop\WinPmem-master\kernel\executable\Debug>sc.exe query
winpmem
SERVICE_NAME: winpmem
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
On Mon, Nov 23, 2020 at 8:24 PM Mike Cohen ***@***.***>
wrote:
> Cool looks like it is working - can you take a memory image?
>
> you can see the driver is installed using sc:
>
> sc.exe query wimpmem
>
> —
> You are receiving this because you authored the thread.
> Reply to this email directly, view it on GitHub
> <#22 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AHPVNJWMVK7SIHK5D7EXHCDSRMDN3ANCNFSM4UAFNJLA>
> .
>
--
Regards,
Zineb
--
Regards,
Zineb
|
|
just run it like Make sure you use the release binary from the releases page rather than try to build it from source - otherwise you need to sign the driver somehow. |
|
I actually built the source code to get the .exe file.
Could you please point me to the release page where I can find the .exe
file to run? (I don't seem to find it on the github repo)
Thanks again
…On Mon, Nov 23, 2020 at 9:05 PM Mike Cohen ***@***.***> wrote:
just run it like winpmem.exe foo.dd
Make sure you use the release binary from the releases page rather than
try to build it from source - otherwise you need to sign the driver somehow.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHPVNJUISHUNMBRF3XBVMBTSRMIGVANCNFSM4UAFNJLA>
.
--
Regards,
Zineb
|
|
|
|
Thank you for your response. Here is the output:
C:\Users\User\Desktop\WinPmem-master>winpmem_mini_x64_rc2.exe foo.dd
WinPmem64
Extracting driver to C:\Users\User\AppData\Local\Temp\pme5B65.tmp
Driver Unloaded.
Loaded Driver C:\Users\User\AppData\Local\Temp\pme5B65.tmp.
Deleting C:\Users\User\AppData\Local\Temp\pme5B65.tmp
The system time is: 02:18:37
Will generate a RAW image
- buffer_size_: 0x1000
CR3: 0x00001AD000
5 memory ranges:
Start 0x00001000 - Length 0x0005B000
Start 0x0005D000 - Length 0x00043000
Start 0x00100000 - Length 0xD063D000
Start 0xD1C0F000 - Length 0x00001000
Start 0x100000000 - Length 0x127800000
max_physical_memory_ 0x227800000
Acquitision mode PTE Remapping
Padding from 0x00000000 to 0x00001000
pad
- length: 0x1000
00% 0x00000000 .
copy_memory
- start: 0x1000
- end: 0x5c000
00% 0x00001000 .
Padding from 0x0005C000 to 0x0005D000
pad
- length: 0x1000
00% 0x0005C000 .
copy_memory
- start: 0x5d000
- end: 0xa0000
00% 0x0005D000 .
Padding from 0x000A0000 to 0x00100000
pad
- length: 0x60000
00% 0x000A0000 .
copy_memory
- start: 0x100000
- end: 0xd073d000
00% 0x00100000 ..................................................
09% 0x32100000 ..................................................
18% 0x64100000 ..................................................
27% 0x96100000 ..................................................
36% 0xC8100000 .........
Padding from 0xD073D000 to 0xD1C0F000
pad
- length: 0x14d2000
37% 0xD073D000 ..
copy_memory
- start: 0xd1c0f000
- end: 0xd1c10000
38% 0xD1C0F000 .
Padding from 0xD1C10000 to 0x100000000
pad
- length: 0x2e3f0000
38% 0xD1C10000 ...............................................
copy_memory
- start: 0x100000000
- end: 0x227800000
46% 0x100000000 ..................................................
55% 0x132000000 ..................................................
64% 0x164000000 ..................................................
73% 0x196000000 ..................................................
82% 0x1C8000000 ..................................................
91% 0x1FA000000 ..............................................
The system time is: 02:20:31
Driver Unloaded.
It also genarated the .dd file (8.5 G)
…On Mon, Nov 23, 2020 at 9:14 PM Mike Cohen ***@***.***> wrote:
[image: image]
<https://user-images.githubusercontent.com/3856546/100037749-7fb7a280-2e4e-11eb-9b15-f316fa9d1bba.png>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHPVNJX2L53RPHMKCCZPSI3SRMJHTANCNFSM4UAFNJLA>
.
--
Regards,
Zineb
|
|
same problem here. I guess it has to do with write not being enabled. I have tried to enable it by "winpmem.exe -w -l" while running in a test mode, but no luck as it complains of "Failed to set write mode. Maybe these drivers do not support this mode?" PS: there are also some syntax errors with pmem write enable under read.c PmemWrite line 687 and line 691 |
|
We do not release drivers with write mode enabled. You do not need these to
acquire memory.
Mike Cohen
Digital Paleontologist,
Velocidex Enterprises
M +61 470 238 491 <+61+470+238+491>
E ***@***.*** ***@***.***>
…On Sun, Apr 25, 2021 at 7:00 PM Mustafa Hajeer ***@***.***> wrote:
same problem here. I guess it has to do with write not being enabled. I
have tried to enable it by "winpmem.exe -w -l" while running in a test
mode, but no luck as it complains of "Failed to set write mode. Maybe these
drivers do not support this mode?"
PS: there are also some syntax errors with pmem write enable under read.c
PmemWrite line 687 and line 691
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA5NRIR3YYUT4ATSHQDYSFTTKPK37ANCNFSM4UAFNJLA>
.
|
|
Thanks Mike, I am using this for testing purposes only and I am trying to compile/build a working write enabled driver using the notes in https://github.com/Velocidex/WinPmem/blob/master/README.md . no luck so far with .sys driver or with the .exe tool :( |
|
You have to rebuild the driver in visual studio and then take the sys file
to place into the bisque binaries folder and then compile the user space
program using visual studio as well.
Then you need to set your system into loading test drivers with bcdedit
otherwise you can't load the unsigned driver.
What specific errors are you getting in building?
Thanks
Mike
…On Tue, Apr 27, 2021, 01:56 Mustafa Hajeer ***@***.***> wrote:
Thanks Mike, I am using this for testing purposes only and I am trying to
compile/build a working write enabled driver using the notes in
https://github.com/Velocidex/WinPmem/blob/master/README.md . no luck so
far with .sys driver or with the .exe tool :(
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA5NRITJRSJTQK2GJ4XZOHDTKWEJXANCNFSM4UAFNJLA>
.
|
|
Thank you, will give that a shot.
Also, after fixing these syntax errors and building the .sys, the service cannot start on windows using this sys for some reason if I try to start with sc.exe |
|
Bump. Could you see why winpmem latest release is failing on windows-latest GitHub worker? name: TestJob
on:
#manually trigger
workflow_dispatch:
jobs:
run_win:
runs-on: windows-latest
steps:
-name: Run script
run: |
curl -OL URI/winpmem.exe
./winpmem.exe dump.raw
dir
|
|
Is this related to this issue? Are you compiling your own driver? If you do you will need to sign it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am trying to use the pcm (performance counter) and using the winpmem driver.
I have the following error on the event viewer:
The winpmem service failed to start due to the following error:
A device attached to the system is not functioning.
I am using the x64.sys file and storing it in the same directory where I run my pcm.exe
Could you kindly help?
Thanks
The text was updated successfully, but these errors were encountered: