Error Rekall profile generation for combase.dll #776
Labels
bug
Something isn't working
Comments
Lexati
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Error Rekall profile generation for combase.dll
Hello! I have some problem with generation rekall profile during postinstallation for combase.dll Windows 10 2004
How to reproduce
Steps to reproduce the behavior:
when it's combase's turn:
[2023-03-29 13:26:38,742][INFO] Fetching rekall profile for Windows/System32/combase.dll
[2023-03-29 13:26:39,333][DEBUG] Starting new HTTPS connection (1): msdl.microsoft.com:443
[2023-03-29 13:26:39,668][DEBUG] https://msdl.microsoft.com:443 "GET /download/symbols/combase.pdb/5d72063b35ba9533e6147d2aa173dc8d1/combase.pdb HTTP/1.1" 302 0
[2023-03-29 13:26:39,669][DEBUG] Starting new HTTPS connection (1): vsblobprodscussu5shard87.blob.core.windows.net:443
[2023-03-29 13:26:40,391][DEBUG] https://vsblobprodscussu5shard87.blob.core.windows.net:443 "GET /b-4712e0edc5a240eabf23330d7df68e77/9968DD1C0233AB3FB2B316BE80B077511EFF2FFB3DF87CA673C37DE0F23BA7FE00.blob?sv=2019-07-07&sr=b&si=1&sig=F1YjJQqRO65Etb7dXq2hpOQWZYe91oVB6FGPXUUNqbk%3D&spr=https&se=2023-03-30T13%3A35%3A56Z&rscl=x-e2eid-fdf8a362-5a394d40-8e95bd4f-ac08ba72-session-0480f756-490b471f-8797d1dd-ed8d2048 HTTP/1.1" 200 90345472
100%|█████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████| 90.3M/90.3M [00:42<00:00, 2.13MiB/s]
[2023-03-29 13:27:22,717][DEBUG] Parsing PDB into JSON profile...
[2023-03-29 13:27:57,391][DEBUG] stdout: {"Plugin": "inject", "TimeStamp": "1680096398.904640", "Method": "ReadFile", "Status": "Success", "ProcessName": "C:\Windows\System32\combase.dll", "Arguments": "", "InjectedPid": 0, "InjectedTid": 0}
[2023-03-29 13:27:57,391][DEBUG] stderr: DRAKVUF injector v1.0-git20220222010225+fecea59-1 Copyright (C) 2014-2022 Tamas K Lengyel
[2023-03-29 13:27:57,391][DEBUG] rc: 0
[2023-03-29 13:27:57,395][DEBUG] Traceback (most recent call last):
File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 611, in create_rekall_profile
profile = make_pdb_profile(
File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/drakpdb.py", line 379, in make_pdb_profile
pdb = pdbparse.parse(filepath)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 554, in parse
return PDB7(f, fast_load)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 521, in init
self.read_root(self.root_stream)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 460, in read_root
pdb_cls(
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 154, in init
self.load()
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 276, in load
debug = dbi.parse_stream(self.stream_file)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/dbi.py", line 160, in parse_stream
Name = ("Name" / CString(encoding = "utf8")).parse(Names[NameRef[j]:])
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 304, in parse
return self.parse_stream(io.BytesIO(data), **contextkw)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 316, in parse_stream
return self._parsereport(stream, context, "(parsing)")
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 328, in _parsereport
obj = self._parse(stream, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 2468, in _parse
return self.subcon._parsereport(stream, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 328, in _parsereport
obj = self._parse(stream, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 715, in _parse
return self._decode(obj, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 1490, in _decode
return obj.decode(self.encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa5 in position 0: invalid start byte
[2023-03-29 13:27:57,395][WARNING] [SKIPPING DLL] Unexpected exception while creating rekall profile for Windows/System32/combase.dll
[2023-03-29 13:27:57,395][DEBUG] Traceback (most recent call last):
File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/draksetup.py", line 611, in create_rekall_profile
profile = make_pdb_profile(
File "/opt/venvs/drakrun/lib/python3.8/site-packages/drakrun/drakpdb.py", line 379, in make_pdb_profile
pdb = pdbparse.parse(filepath)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 554, in parse
return PDB7(f, fast_load)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 521, in init
self.read_root(self.root_stream)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 460, in read_root
pdb_cls(
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 154, in init
self.load()
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/init.py", line 276, in load
debug = dbi.parse_stream(self.stream_file)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/pdbparse/dbi.py", line 160, in parse_stream
Name = ("Name" / CString(encoding = "utf8")).parse(Names[NameRef[j]:])
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 304, in parse
return self.parse_stream(io.BytesIO(data), **contextkw)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 316, in parse_stream
return self._parsereport(stream, context, "(parsing)")
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 328, in _parsereport
obj = self._parse(stream, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 2468, in _parse
return self.subcon._parsereport(stream, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 328, in _parsereport
obj = self._parse(stream, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 715, in _parse
return self._decode(obj, context, path)
File "/opt/venvs/drakrun/lib/python3.8/site-packages/construct/core.py", line 1490, in _decode
return obj.decode(self.encoding)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xa5 in position 0: invalid start byte
[2023-03-29 13:27:57,396][INFO] Deleted /var/lib/drakrun/profiles/amd64_combase_profile
[2023-03-29 13:27:57,396][INFO] Deleted /var/lib/drakrun/profiles/combase.pdb
Help me please fix this problem,
Thank you in advance!
The text was updated successfully, but these errors were encountered: