Socketmon plugin not work on win7 sp1 x64

[Lexati]

Hello tklengyel!
Help me please, i try take on Socketmon plugin on windows 7 sp1 x64 with next command:
sudo drakvuf -a socketmon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json -T /var/lib/drakrun/profile/amd64_tcpip_profile.json -t 120 -i 1288 -v

but drakvuf return error debug log:

Can you advise me how i can fix this problem?

Also from debug log:
Failed to find dnsapi.dll in list starting at 0x3225f0

[SOCKETMON] trap_visitor: CR3[0x53DF000] pid[0x444 1092] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\System32\DNSAPI.dll]

[SOCKETMON] trap_visitor: CR3[0x7BCA000] pid[0x278 632] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[c:\windows\system32\DNSAPI.dll]

[SOCKETMON] trap_visitor: CR3[0x5055B000] pid[0x644 1604] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\system32\DNSAPI.dll]

Thank you in advance!=)

[tklengyel]

If the dll is not found in the list you are trying to start with the plugin won't work. You need to figure out why the dll is missing in your VM.

[Lexati]

Thank you for your fast answer!
I checked DNSAPI.dll in VM.
Now DNSAPI.dll exist in:

• C:\Windows\system32
• C:\Windows\SysWow64
  Then i start command:
  sudo draksetup postinstall --no-report
  I see that script detect DNSAPI.dll in C:\Windows\system32 via injector and create rekall profile for this dll in path /var/lib/drakrun/profiles/
  the same situation with tcpip.sys.

But then i try use this profile for socketmon, i see errors on debug logs.
In scrinshot below in debug log is record "Failed to trap function SysWOW64 dnsapi.dll"
may be i must create rekall allso for C:\Windows\SysWow64\dnsapi.dll ?

If this is a true statement, then tell me exactly where I need to place and specify this rekall profile.
If not, then tell me please what else could be done.
Maybe there is some specific windows 7 image on which socketmon will be guaranteed to work without any problems.
Thank you in advance!

[Lexati]

Content in /var/lib/drakrun/profiles/:

[tklengyel]

It's not enough that the dll exists on disk. If it's not loaded into the memory of the process as part of its module list it won't work. In your VM the dll is not found in memory and you need to figure out why your Windows installation doesn't load it.

It also sounds like you are using DRAKVUF Sandbox, so you may want to open an issue on their repository because they might have some more information about the automated setup that supposed to resolve this.

[Lexati]

Thank you for your fast answer!
I created issue in DRAKVUF Sandbox.
CERT-Polska/drakvuf-sandbox#770

So far, I can’t understand why dsnapi.dll is not loaded into VM memory...
I reinstalled VM, gave network access before postinstall, but It did not help.

[Saksham128]

Did you figured out any solution for this problem? I am having the same problem with the socketmon plugin. My debug also gives the same error of dll missing. Is there any other way through which i can capture the network of the VM?

[Lexati]

Did you figured out any solution for this problem? I am having the same problem with the socketmon plugin. My debug also gives the same error of dll missing. Is there any other way through which i can capture the network of the VM?

No, this problem is still relevant.