Skip to content

VMI_ERROR with apimon plugin #1836

New issue
New issue
Open
Open
VMI_ERROR with apimon plugin#1836
@julie-nga

Description

@julie-nga
julie-nga
opened on Jun 2, 2025

Hello,

I noticed that I sometimes run into errors of type VMI_ERROR: Could not find EPROCESS struct for pgd = 0x69fca000. with the plugin apimon.

For instance in this output :

ju@ju-virtual-machine:~/drakvuf$ sudo ./build/drakvuf -r /root/windows7-sp1.json -d windows7-sp1 -o json -a apimon
1748896437.437151 DRAKVUF v1.1-93ec052 Copyright (C) 2014-2024 Tamas K Lengyel
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x77600000","PID":1660}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 147696 }, "DllBase": "0x77600000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 1660 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\UIAnimation.dll","DllBase":"0x7fef9c10000","PID":1660}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\UIAnimation.dll","DllBase":"0x7fef9c10000","PID":1660}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\UIAnimation.dll","DllBase":"0x7fef9c10000","PID":1660}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\Magnify.exe","DllBase":"0xff830000","PID":1660}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x77600000","PID":840}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 147696 }, "DllBase": "0x77600000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 840 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x77600000","PID":388}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 147696 }, "DllBase": "0x77600000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 388 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\Magnify.exe","DllBase":"0xff9d0000","PID":1660}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x77600000","PID":1016}
{ "Plugin": "apimon", "Event": "dll_loaded", "Rva": { "RtlExitUserProcess": 147696 }, "DllBase": "0x77600000", "DllName": "\\Windows\\System32\\ntdll.dll", "PID": 1016 }
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\explorer.exe","DllBase":"0x33b0000","PID":1660}
VMI_ERROR: Could not find EPROCESS struct for pgd = 0x69fca000.
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\ntdll.dll","DllBase":"0x77600000","PID":-1}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\sfc.dll","DllBase":"0x73fb0000","PID":1660}
{"Plugin":"apimon","Event":"dll_discovered","DllName":"\\Windows\\System32\\sfc_os.dll","DllBase":"0x7fefa7a0000","PID":1660}

What could be the cause of this problem ?

Monitored VM : Windows 7 SP1 64 bits

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions