NT6.0 : Windows Vista/Windows Server 2008, x64 and x86 guest support

[ohault]

According to #122 (comment), The current KPRCB->CurrentThread->Process method could be with Windows Vista too.

Is there something else to prevent DRAKVUF to support Windows Vista ?

[julie-nga]

Hello, I've been testing DRAKVUF with a Windows Vista SP2 x64 guest. I noticed that the set_os_windows function of drakvuf/src/libdrakvuf/win.c returns 0 because the symbols ObpInfoMaskToOffset and ObTypeIndexTable don't exist in the Vista JSON profile (which is normal because these symbols were introduced in Windows 7) :

if (VMI_FAILURE == vmi_translate_ksym2v(drakvuf->vmi, "ObpInfoMaskToOffset", &drakvuf->ob_infomask2off) ||
        VMI_FAILURE == vmi_translate_ksym2v(drakvuf->vmi, "ObTypeIndexTable",    &drakvuf->ob_type_table))
    {
        return 0;
    }

This causes drakvuf->os to be set to VMI_OS_UNKNOWN in _drakvuf_init_os (in drakvuf/src/libdrakvuf/drakvuf.c) , even though Vista is correctly detected :

 case VMI_OS_WINDOWS:
            if ( !set_os_windows(drakvuf) )
                drakvuf->os = VMI_OS_UNKNOWN;

As a test, I commented out the check for those two symbols in the function set_os_windows , and that allowed the plugins apimon and procmon to run on Vista.

• apimon :

ju@ju-virtual-machine:~/drakvuf$ sudo ./build/drakvuf -r /root/windows-vista-sp2.json -d windows-vista-sp2 -o json -a apimon
1747998533.637069 DRAKVUF v1.1-93ec052 Copyright (C) 2014-2024 Tamas K Lengyel
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x76dc0000","PID":1012}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 131728 }, "DllBase": "0x76dc0000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 1012 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x76dc0000","PID":2388}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 131728 }, "DllBase": "0x76dc0000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 2388 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x76dc0000","PID":4}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 131728 }, "DllBase": "0x76dc0000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 4 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x76dc0000","PID":724}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 131728 }, "DllBase": "0x76dc0000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 724 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Program Files\\Windows Photo Gallery\\PhotoLibraryResources.dll","DllBase":"0x74fd0000","PID":724}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Program Files\\Windows Photo Gallery\\PhotoLibraryResources.dll","DllBase":"0x74dc0000","PID":724}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x76dc0000","PID":1600}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 131728 }, "DllBase": "0x76dc0000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 1600 }
VMI_ERROR: Could not find EPROCESS struct for pgd = 0x71602000.
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x76dc0000","PID":-1}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\verclsid.exe","DllBase":"0x3260000","PID":724}
[...]

It seems to work partially as I occasionnally get the error VMI_ERROR: Could not find EPROCESS struct for pgd = 0x71602000.. (Update: that error also happens with a Windows 7 SP1 guest VM so the plugin apimon seems to work for a Windows Vista SP2 64 bits)

• cpuidmon : doesn't work, there's no output
• procmon and callbackmon : procmon seems to work and callbackmon fail to start :

ju@ju-virtual-machine:~/drakvuf$ sudo ./build/drakvuf -r /root/windows-vista-sp2.json -d windows-vista-sp2 
1747998978.345508 DRAKVUF v1.1-93ec052 Copyright (C) 2014-2024 Tamas K Lengyel
[PROCMON] TIME:1747998980.528607 PID:4 PPID:0 RunningProcess:"System"
[PROCMON] TIME:1747998980.529039 PID:368 PPID:4 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\smss.exe"
[PROCMON] TIME:1747998980.529339 PID:436 PPID:424 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\csrss.exe"
[PROCMON] TIME:1747998980.529679 PID:480 PPID:424 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\wininit.exe"
[...]
[PROCMON] TIME:1747998980.539862 PID:2496 PPID:708 RunningProcess:"\Device\HarddiskVolume1\Program Files (x86)\Internet Explorer\ieuser.exe"
[PROCMON] TIME:1747998980.540177 PID:1748 PPID:708 RunningProcess:"\Device\HarddiskVolume1\Program Files (x86)\Internet Explorer\iexplore.exe"
[PROCMON] TIME:1747998980.540694 PID:2868 PPID:564 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\wsqmcons.exe"
[PROCMON] TIME:1747998980.541093 PID:1728 PPID:724 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\mspaint.exe"
[PROCMON] TIME:1747998980.541490 PID:2448 PPID:568 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\svchost.exe"
[PROCMON] TIME:1747998980.541987 PID:1556 PPID:1012 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\taskeng.exe"
[PROCMON] TIME:1747998980.542474 PID:1832 PPID:1012 RunningProcess:"\Device\HarddiskVolume1\Windows\System32\taskeng.exe"
Plugin callbackmon startup failed!
ju@ju-virtual-machine:~/drakvuf$ 

Does anyone have suggestions on how Vista could be completely supported by DRAKVUF ?

[julie-nga]

Hi, I've been testing the DRAKVUF plugins for Windows on both Windows 7 SP1 and Windows Vista SP2 (64 and 32 bits). For testing with the Windows Vista, I did it with the change described in my previous comment.

I created a table summarizing which plugins are working for each version :

• For the plugin cpuidmon, I'm not sure to have all the logs for a Windows Vista SP2 64 bits as for example with the other OSes I have logs when I open Paint but not for Windows Vista SP2 64 bits

I'm preparing a pull request to add Vista support where applicable.

Feedback and help are welcome!

[ohault]

It's really promising, thank you @julie-nga. Thank you also @mtarral/@Wenzel for your initial inputs.

[ohault]

A next step would be to bring support for the OBJECT_HEADER structure layout used by Windows Vista x86 and x64.

Related functions (non exhaustive)

• https://github.com/tklengyel/drakvuf/blob/main/src/libdrakvuf/win.c#L427
• https://github.com/tklengyel/drakvuf/blob/main/src/libdrakvuf/win.c#L449
• https://github.com/tklengyel/drakvuf/blob/main/src/libdrakvuf/win.c#L477

Impacted plugins (non exhaustive)

• CALLBACKMON

Referecences:

• https://codemachine.com/articles/object_headers.html
• https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ob/object_header/index.htm