You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 21, 2024. It is now read-only.
Hi! I tried running the current codebase on two machines with Ubuntu 18.04.2 and Debian 9.6. To get a taste of what I mean by extremely slow, it takes over 5 minutes to boot a freshly installed Windows 7 on an i7-3632QM machine compared to 1 minute in Ubuntu's QEMU 2.11.1 in emulation mode (no -enable-kvm and same switches used for ./pyrebox-i386 and vanilla qemu-system-i386). When I start a demo program within mw_monitor, say Al-Khaser or the standalone PuTTY client, I can see the agent transferring the file in the expected path and the entry point for the executable shown on screen, then I'll have to wait a few dozens of minutes to see any activity (say, for PuTTY it took about 20 minutes to reach the Executed first instruction + Successfully removed trigger stage, and then 5-10 minutes to show the GUI).
When I unload the monitor the function call log is generated apparently correctly (I only tried it in light mode). On the first run ever file symbols.Win7SP1x86 was generated with about three errors on missing files. I once let mw_monitor run Al-Khaser for about two days and it was still executing some of its checks when I killed it.
Any idea where the issue may lie? Could it be a wrong Volatility/QEMU setup/build?
Some details on the configuration. The guest is Windows 7 SP1 build 7601 running with 2 GB of RAM. For pyrebox.conf:
Once the system is up I import the guest agent module, run its executable from a command prompt, and then proceed with mw_monitor:
import_module plugins.guest_agent
(run the agent from cmd.exe)
import_module mw_monitor.mw_monitor
I am using the default mw_monitor.conf updated to point to the SQLite DB shipped with the PyREBox repository, and customized mw_monitor_run.json as follows:
It seems there must be something going on as those times you report are just too much. 5 minutes to boot - up windows 7 could be ok-ish, but the times you report for sample execution are not normal.
First of all, can you confirm that KVM is not enabled (when running the image under qemu-system-i386) by running the "info kvm" monitor command?
Second, I cannot see anything wrong in the configuration, but I should debug this myself to understand the what's going on. I will reach out to you so that we can chat about it.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi! I tried running the current codebase on two machines with Ubuntu 18.04.2 and Debian 9.6. To get a taste of what I mean by extremely slow, it takes over 5 minutes to boot a freshly installed Windows 7 on an i7-3632QM machine compared to 1 minute in Ubuntu's QEMU 2.11.1 in emulation mode (no
-enable-kvm
and same switches used for./pyrebox-i386
and vanillaqemu-system-i386
). When I start a demo program within mw_monitor, say Al-Khaser or the standalone PuTTY client, I can see the agent transferring the file in the expected path and the entry point for the executable shown on screen, then I'll have to wait a few dozens of minutes to see any activity (say, for PuTTY it took about 20 minutes to reach theExecuted first instruction
+Successfully removed trigger
stage, and then 5-10 minutes to show the GUI).When I unload the monitor the function call log is generated apparently correctly (I only tried it in light mode). On the first run ever file
symbols.Win7SP1x86
was generated with about three errors on missing files. I once let mw_monitor run Al-Khaser for about two days and it was still executing some of its checks when I killed it.Any idea where the issue may lie? Could it be a wrong Volatility/QEMU setup/build?
Some details on the configuration. The guest is Windows 7 SP1 build 7601 running with 2 GB of RAM. For
pyrebox.conf
:Command line to boot up QEMU (I get the same behavior w/ and w/o snapshot):
Once the system is up I import the guest agent module, run its executable from a command prompt, and then proceed with mw_monitor:
I am using the default
mw_monitor.conf
updated to point to the SQLite DB shipped with the PyREBox repository, and customizedmw_monitor_run.json
as follows:The text was updated successfully, but these errors were encountered: