Socketmon plugin not work on win7 sp1 x64

[Lexati]

Socketmon plugin not work on win7 sp1 x64

Hello!!
Help me please, i try take on Socketmon plugin on windows 7 sp1 x64, but I have some problems.

I use next command:
sudo drakvuf -a socketmon -d vm-1 -r /var/lib/drakrun/profiles/kernel.json -T /var/lib/drakrun/profile/amd64_tcpip_profile.json -t 120 -i 1288 -v

but drakvuf return error debug log:

Can you advise me how i can fix this problem?

Also from debug log:
Failed to find dnsapi.dll in list starting at 0x3225f0

[SOCKETMON] trap_visitor: CR3[0x53DF000] pid[0x444 1092] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\System32\DNSAPI.dll]

[SOCKETMON] trap_visitor: CR3[0x7BCA000] pid[0x278 632] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[c:\windows\system32\DNSAPI.dll]

[SOCKETMON] trap_visitor: CR3[0x5055B000] pid[0x644 1604] is_wow_process[0] is_wow_module[0] base_name[DNSAPI.dll] load_address[0x7FEFC550000] full_name[C:\Windows\system32\DNSAPI.dll]

Thank you in advance!=)

P.S I opened issues also in tklengyel repos
tklengyel/drakvuf#1613

Some info i explained in that thread.

[Lexati]

P.S This problem also observed for Windows 10 2004

[psrok1]

It's not the problem with Drakvuf Sandbox but socketmon plugin in Drakvuf, so this problem should be tracked in tklengyel/drakvuf#1613. dnsapi.dll Rekall profile is not even used by Drakvuf and you don't even have any argument in the Drakvuf command line to pass the path to this profile. amd64_dnsapi_profile.json is generated for different, postprocessing component (apivectors)

Rekall profiles are not required for user-mode traps, because Drakvuf is looking for functions directly in PE export table. I will add some notes about the origin of the problem to the tklengyel/drakvuf#1613.