Comments (6)
ikelos
commented on May 20, 2024
Hiya, Thanks for the report! From the looks of it, the symbol table is the heart of the problem. It would help us to figure out what went wrong in this specific case if you could paste the output from running it with vol.py -vv rather than just vol.py. The exact line we're interested in would be one that looks something like:
DEBUG volatility.framework.automagic.pdbscan: Using symbol library: ntkrnlpa.pdb/BD8F451F3E754ED8A34B50560CEB08E3-1
That will tell us which symbol table we're looking for. It's definitely a known issue that certain kernel symbol files that Microsoft publishes aren't complete (for example, I have a system with the above signature, that we do have symbols for in the symbol pack, but if you try to download them manually, the pdb no longer contains all the necessary data, and it comes up with the same warning you've encountered).
Once we know which symbol table it's trying to use we can examine the one in the pack, or even if it exists in the pack and figure out if we can create symbols for it or not... 5:)
from volatility3.
mattwhatkins
commented on May 20, 2024
I have a Win10x64_18362 image and I'm getting the same issue. I tried downloading the symbols and extracting them manually, but I get the same error. This is a test VM so happy to perform any debugging steps on the live host.
DEBUG volatility.framework.automagic.pdbscan: Using symbol library: ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A4043-1
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
WARNING volatility.framework.plugins: Automagic exception occured: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD
Let me know if you'd rather I create a separate issue for this
from volatility3.
ikelos
commented on May 20, 2024
Errr, leave it in this thread for the moment please. So E0093F3AEF15D58168B753C9488A4043-1 doesn't produce any types, only symbols. I need to check if that's an issue with the pdb file (in which case there's not much we can do) or whether the pdb converter is just missing a bunch of types...
from volatility3.
ikelos
commented on May 20, 2024
So it turns out this was due to a recent pull request that I didn't properly review (I checked the code, which was right, but completely missed that we did things in the wrong order already and it just so happened it worked out fine because of the mistake which #133 correctly fixed).
Unfortunately, this means that some generated symbol tables will now be invalid and will need to be re-generated. Please clear out your volatility/symbols/windows directory (the windows.zip file should be fine, and you can re-unpack the contents of that if you unpacked it in the first place.
Any windows JSON symbol files generated in the last couple of days will need to be removed and will be rebuilt from the internet.
Please could you test this? @mattwhatkins I know this will fix your issue, @johnlabuyfoy1024 I suspect this will fix yours but I never found out which PDB you were testing it against...
I leave this open for a week or so unless I get told otherwise, in case someone's still experiencing it even with the fix from commit 648cded5...
from volatility3.
mattwhatkins
commented on May 20, 2024
This works for me, windows.info and pstree coming back OK now :) (Malfind is erroring, so I'll see if I can work that out, otherwise submit a separate bug report)
Thanks!
from volatility3.
johnlabuyfoy1024
commented on May 20, 2024
My issue is now resolved after downloading & installing the latest windows.zip from https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
4 0 System 0xd10263712440 196 - N/A False 2019-08-14 18:27:46.000000 N/A
96 4 Registry 0xd102637e4040 3 - N/A False 2019-08-14 18:27:44.000000 N/A
448 4 smss.exe 0xd102768ef040 5 - N/A False 2019-08-14 18:27:46.000000 N/A
716 544 csrss.exe 0xd10277dab280 13 - 0 False 2019-08-14 18:27:50.000000 N/A
804 544 wininit.exe 0xd10278867080 5 - 0 False 2019-08-14 18:27:51.000000 N/A
812 796 csrss.exe 0xd1027886c080 14 - 1 False 2019-08-14 18:27:51.000000 N/A
884 804 services.exe 0xd1027883b580 21 - 0 False 2019-08-14 18:27:51.000000 N/A
916 796 winlogon.exe 0xd102788e3340 5 - 1 False 2019-08-14 18:27:51.000000 N/A
980 804 lsass.exe 0xd1027886a080 13 - 0 False 2019-08-14 18:27:51.000000 N/A
Thank you ikelos!
from volatility3.
Related Issues (20)
- Symbol _ETHREAD not in symbol table/symbol table not found HOT 1
- linux.kmsg.Kmsg returning Page error HOT 24
- Yarascan process_yara_options method needs updating to ensure requirements and processing options remain in sync
- Missing plugins from blog posts from volatility labs HOT 1
- Add support for determining/filtering symbol tables HOT 1
- Duplicate Enum value in `bpf_map_type` HOT 2
- ValueError: negative shift count for volshell.py dt( ps()[0] ) HOT 2
- Linux: Kmsg Unsupported kernel implementation - 3.2 HOT 16
- `kernel_cap_struct` still required despite #997 HOT 1
- Issue with symbol table HOT 1
- Can't find symbols for Windows Sandbox memory image
- Build a UI based way of choosing columns to display
- Not able to download requirements.txt for Volatility 3-1.0.0 HOT 1
- Ubuntu 22.04 Unresolved Reference HOT 7
- linux: `module_layout` is replaced by `module_memory` as of 6.4 HOT 6
- Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected. HOT 26
- PluginRequirements should not be fulfilled unless their PluginRequirements are fulfilled
- windows.handles.Handles not working HOT 5
- Potential support of minidump formats from processes? HOT 8
- syntaxwarning on python 3.12 HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility3.