Kernel Driver support

Question

Kernel Driver support

a0ki opened this issue 4 years ago · 6 comments

So as i've opened a issue b4, here are the outputs that i get

C:\WINDOWS\system32>"C:\Users\Nemezis\Downloads\NOVM.exe" "C:\Users\Nemezis\Downloads\_dump.sys"
##############################################################################
# NoVmp  Copyright (C) 2020 Can Boluk                                        #
# This program comes with absolutely no warranty, and it is free software.   #
# You are welcome to redistribute it under certain conditions--for which you #
# can refer to the GNU General Public License v3.                            #
##############################################################################

Discovered vmenter at FFFFF80240C01AA2
Discovered vmenter at FFFFF80240C01ACA
Discovered vmenter at FFFFF80240C01AEC
Discovered vmenter at FFFFF80240C01C91
Discovered vmenter at FFFFF80240C0256F
Discovered vmenter at FFFFF80240C02C99
Discovered vmenter at FFFFF80240C03371
Discovered vmenter at FFFFF80240C037FA
Discovered vmenter at FFFFF80240C03B4D
Discovered vmenter at FFFFF80240C03DAE
Discovered vmenter at FFFFF80240C03EF8
Lifting virtual-machine at 00000000001A67B9...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A67DE...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A67FB...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A69CB...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A6E5D...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7323...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A76F4...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7997...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7B05...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7C49...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7D45...
Error: Invalid VIP.

can1357 commented 4 years ago

yes

Answer 1 · 2020-09-15T01:38:12.000Z

-base is not specified.

Answer 2 · 2020-09-15T02:27:09.000Z

even with base

C:\WINDOWS\system32>"C:\Users\Nemezis\Downloads\NOVM.exe" "C:\Users\Nemezis\Downloads\_dump.sys" -base FFFFF80240C00000
##############################################################################
# NoVmp  Copyright (C) 2020 Can Boluk                                        #
# This program comes with absolutely no warranty, and it is free software.   #
# You are welcome to redistribute it under certain conditions--for which you #
# can refer to the GNU General Public License v3.                            #
##############################################################################

Discovered vmenter at FFFFF80240C01AA2
Discovered vmenter at FFFFF80240C01ACA
Discovered vmenter at FFFFF80240C01AEC
Discovered vmenter at FFFFF80240C01C91
Discovered vmenter at FFFFF80240C0256F
Discovered vmenter at FFFFF80240C02C99
Discovered vmenter at FFFFF80240C03371
Discovered vmenter at FFFFF80240C037FA
Discovered vmenter at FFFFF80240C03B4D
Discovered vmenter at FFFFF80240C03DAE
Discovered vmenter at FFFFF80240C03EF8
Lifting virtual-machine at 00000000001A67B9...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A67DE...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A67FB...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A69CB...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A6E5D...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7323...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A76F4...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7997...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7B05...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7C49...
Error: Invalid VIP.
Lifting virtual-machine at 00000000001A7D45...
Error: Invalid VIP.

Answer 3 · 2020-09-15T02:28:02.000Z

That's not original base

Answer 4 · 2020-09-15T02:35:37.000Z

hmm, should be the imagebase on the packed one then?

Answer 5 · 2020-09-15T03:32:42.000Z

yes

Anyways, im trying a self packed executable, ive passed the base as you mentioned and i just got stuck at

[!] Warning: Local variable t269#0x35fa6e? is used before value assignment (Block 35fa6e).

[!] Warning: Local variable t269#0x35f6a0? is used before value assignment (Block 35f6a0).

[!] Warning: Local variable t269#0x36738f? is used before value assignment (Block 36738f).

[!] Warning: Local variable t269#0x33b914? is used before value assignment (Block 33b914).

Like... got tons of this message and now is just stucked