WinPmem icon indicating copy to clipboard operation
WinPmem copied to clipboard
verified publisher icon Velocidex

DeviceIOControl Failing

Open Cubanhammer opened this issue 4 years ago • 3 comments

Hi, We have been using the winpmem.sys drivers to perform memory collections using winpmem.py

On newer windows 10 builds we have been getting error 87 parameter is incorrect at the following line.

win32file.DeviceIoControl( self.fd, CTRL_IOCTRL, struct.pack("I", mode), 0, None)

Are you aware of which parameter may have changed on the windows end? I can confirm the drivers work on older windows 10 builds.

Thanks

Cubanhammer avatar Jan 06 '22 20:01 Cubanhammer

I believe the format of the ioctl was changed with the most recent drivers. I don't know that the python code was updated - we don't use it really.

Can you successfully image using the c userspace program?

scudette avatar Jan 06 '22 22:01 scudette

Yes, we can currently use the winpmem exe to image.

Do you have any idea what the ioctrl setting would need to be updated to? Or documentation I could look into?

Cubanhammer avatar Jan 07 '22 18:01 Cubanhammer

This is the struct that gets passed in the ioctl

https://github.com/Velocidex/WinPmem/blob/master/kernel/userspace_interface/winpmem_shared.h

You need to update the layout here https://github.com/google/rekall/blob/55d1925f2df9759a989b35271b4fa48fc54a1c86/tools/windows/winpmem/winpmem.py#L85

The ioctl numbers used now are here https://github.com/Velocidex/WinPmem/blob/master/kernel/userspace_interface/ctl_codes.h

so you have to change them in the python code https://github.com/google/rekall/blob/55d1925f2df9759a989b35271b4fa48fc54a1c86/tools/windows/winpmem/winpmem.py#L56

scudette avatar Jan 08 '22 02:01 scudette