Comments (8)
ikelos
commented on August 21, 2024
1
@sk4la I can't speak to the docker images, but a git checkout of vol3 and the following command line:
PYTHONPATH="." python volatility/framework/symbols/windows/pdbconv.py -p ntkrpamp.pdb -g 5B308B4ED6464159B87117C711E7340C2 -o thing.json
Successfully ran, downloaded and parsed the pdb file, and stored it in thing.json. For windows, the file then has to be named specifically, so you'd need to put it in volatility/symbols/windows/ntkrpamp.pdb/5B308B4ED6464159B87117C711E7340C-2.json. Even if you specify the symbols directory, you'll still need that directory structure and filename in place. I'd recommend reading https://volatility3.readthedocs.io/en/latest/symbol-tables.html#windows-symbol-tables for the details.
Also, I'm happy to answer questions, but I'd prefer to do it on our slack channel (@ikelos) rather than through our bug tracker. It'll just add noise to actual issues that need fixing if we carry out discussions here...
from volatility3.
araaj
commented on August 21, 2024
I also tried using "Ram Capture" memory image with same error
python vol.py -f 20191019_1.mem windows.info
from volatility3.
ikelos
commented on August 21, 2024
Hiya, could you please trying running it with vol.py -vvv rather than just vol.py and provide the output please? That will help us figure out if it's identified the version of Windows and can't find the appropriate symbol file, or if it just can't find the version of Windows at all... 5:)
from volatility3.
sk4la
commented on August 21, 2024
I hit the same error as @araaj.
It looks like the volatility/framework/symbols/windows/pdbconv.py script does not behave the same way as development/pdbparse-to-json.py:
$ docker run -v ${DOWNLOADS}:/case --rm volatilityfoundation/volatility -f /case/ch2.dmp -vvv windows.info docker*
INFO root : Volatility plugins path: ['/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/plugins', '/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/symbols', '/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/symbols']
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x185000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary.memory_layer
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - using KDBG structure for kernel offset
Volatility 3 Framework 1.0.0-beta.1
Progress: 98.34 Scanning primary2 using PdbSignatureScannerINFO volatility.framework.symbols.windows.pdbconv: Download PDB file...
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrpamp.pdb/5B308B4ED6464159B87117C711E7340C2/ntkrpamp.pd_
DEBUG volatility.framework.symbols.windows.pdbconv: Failed with HTTP Error 404: Not Found
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrpamp.pdb/5B308B4ED6464159B87117C711E7340C2/ntkrpamp.pdb
Progress: 94.74 Downloading http://msdl.microsoft.com/download/symbols/ntkrpamp.pdb/5B308B4ED6464159B87117C711E7340C2/DEBUG volatility.framework.symbols.windows.pdbconv: Successfully written to /tmp/tmp6dd10r4i
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
WARNING volatility.framework.plugins: Automagic exception occured: ValueError: ('No symbol files found at provided filename: {}', 'pdb')
Level 9 volatility.framework.plugins: Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/automagic/__init__.py", line 129, in run
automagic(context, config_path, requirement, progress_callback)
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/automagic/pdbscan.py", line 479, in __call__
self.recurse_symbol_fulfiller(context, valid_kernels, progress_callback)
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/automagic/pdbscan.py", line 209, in recurse_symbol_fulfiller
self.download_pdb_isf(kernel['GUID'], kernel['age'], kernel['pdb_name'], progress_callback)
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/automagic/pdbscan.py", line 253, in download_pdb_isf
json_output = pdbconv.PdbReader(self.context, location, progress_callback).get_json()
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/symbols/windows/pdbconv.py", line 263, in __init__
self._layer_name, self._context = self.load_pdb_layer(context, location)
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/symbols/windows/pdbconv.py", line 309, in load_pdb_layer
msf_layer = msf.PdbMultiStreamFormat(new_context, msf_config_path, msf_layer_name)
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/layers/msf.py", line 28, in __init__
self._pdb_symbol_table = intermed.IntermediateSymbolTable.create(context, self._config_path, 'windows', 'pdb')
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/symbols/intermed.py", line 227, in create
raise ValueError("No symbol files found at provided filename: {}", filename)
ValueError: ('No symbol files found at provided filename: {}', 'pdb')
Unable to validate the plugin requirements: ['plugins.Info.nt_symbols']
Progress: 100.00 Downloading http://msdl.microsoft.com/download/symbols/ntkrpamp.pdb/5B308B4ED6464159B87117C711E7340C2/ntkrpamp.pdb
Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
I used the Docker images from
https://github.com/sk4la/volatility3-docker.
More precisely, it looks to me that the NT symbol converter is not behaving as it should. So I tried to trigger it manually.
Using pdbconv.py:
$ docker run -v ${DOWNLOADS}:/case --rm volatilityfoundation/pdbconv -f /case/08952902419D9F319187762F72CD80F2403F578B098714C1C565F8D6EE21898E00.blob -o 08952902419D9F319187762F72CD80F2403F578B098714C1C565F8D6EE21898E00.isf
Traceback (most recent call last):
File "/usr/lib/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 988, in <module>
convertor = PdbReader(ctx, location, progress_callback = pg_cb)
File "/usr/lib/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 263, in __init__
self._layer_name, self._context = self.load_pdb_layer(context, location)
File "/usr/lib/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 309, in load_pdb_layer
msf_layer = msf.PdbMultiStreamFormat(new_context, msf_config_path, msf_layer_name)
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/layers/msf.py", line 28, in __init__
self._pdb_symbol_table = intermed.IntermediateSymbolTable.create(context, self._config_path, 'windows', 'pdb')
File "/usr/lib/python3.7/site-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/symbols/intermed.py", line 227, in create
raise ValueError("No symbol files found at provided filename: {}", filename)
ValueError: ('No symbol files found at provided filename: {}', 'pdb')
The test PDB file was manually fetched from
http://msdl.microsoft.com/download/symbols/ntkrpamp.pdb/5B308B4ED6464159B87117C711E7340C2/ntkrpamp.pdb.
And using pdbparse-to-json.py:
# /usr/bin/env python3 /usr/lib/volatility3/development/pdbparse-to-json.py -f /case/08952902419D9F319187762F72CD80F2403F578B098714C1C565F8D6EE21898E00.blob -o /case/08952902419D9F319187762F72CD80F2403F
578B098714C1C565F8D6EE21898E00.isf
INFO __main__ : Parsing PDB...
INFO __main__ : Reading usertypes...
INFO __main__ : Reading enums...
INFO __main__ : Reading symbols...
Looks like pdbparse-to-json.py manages to convert the symbols.
Also, I cannot manage to get the --symbol-dirs option working. The tool still triggers the download of the PDB file although I specified a custom local directory. So for now, I didn't manage to figure out a way to overcome the previous issue...
Do you have some insight about this?
from volatility3.
araaj
commented on August 21, 2024
I re-captured the image of the same desktop again with Ram Capture, this time it worked fine. Could be that the image was not acquired correctly before.
from volatility3.
araaj
commented on August 21, 2024
I tried another host. The image was captured using redline and originally to be analyzed in redline. I tried using the .dat file created by redline as memory dump. when parsing pslist using volitality, i get the output along with the error.
C:>vol.exe -vvv -f w32memory-acquisition-100.urn_uuid_32a91b60-c2ae-4c39-be81-40c5f7e66389.dat windows.pslist
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['C:\plugins', 'C:\Users\Maash\AppData\Local\Temp\_MEI112362\volatility\plugins', 'C:\Users\Maash\AppData\Local\Temp\_MEI112362\volatility\framework\plugins']
INFO root : Volatility symbols path: ['C:\symbols', 'C:\Users\Maash\AppData\Local\Temp\_MEI112362\volatility\symbols', 'C:\Users\Maash\AppData\Local\Temp\_MEI112362\volatility\framework\symbols']
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x1aa000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - using KDBG structure for kernel offset
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility.framework.automagic.pdbscan: Using symbol library: ntkrnlmp.pdb\7C2C2FD987604405A15F148919E1B4DB-1
DEBUG volatility.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf800f3816000
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_EPROCESS_QUOTA_BLOCK
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_PAGEFAULT_HISTORY
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_ACCESS_STATE
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_CPU_RATE_CONTROL
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NOTIFICATION_INFORMATION
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ACTIVATION_CONTEXT_DATA
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_FLS_CALLBACK_INFO
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ASSEMBLY_STORAGE_MAP
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_SCSI_REQUEST_BLOCK
4 0 System 0xe001b87bd900 287 - N/A False 2019-07-05 08:29:18.000000 N/A
740 4 smss.exe 0xe001ba316900 2 - N/A False 2019-07-05 08:29:18.000000 N/A
968 956 csrss.exe 0xe001bef7b900 10 - 0 False 2019-07-05 08:29:24.000000 N/A
252 1020 csrss.exe 0xe801e013d080 8 - 1 False 2019-07-05 08:29:26.000000 N/A
260 956 wininit.exe 0xe001bf0fe900 1 - 0 False 2019-07-05 08:29:26.000000 N/A
264 1020 winlogon.exe 0xe801e0153080 2 - 1 False 2019-07-05 08:29:27.000000 N/A
800 260 services.exe 0xe001b9ea5080 4 - 0 False 2019-07-05 08:29:30.000000 N/A
812 260 lsass.exe 0xe001b883f900 6 - 0 False 2019-07-05 08:29:30.000000 N/A
908 800 svchost.exe 0xe001bf358900 8 - 0 False 2019-07-05 08:29:32.000000 N/A
976 800 svchost.exe 0xe001bf33c2c0 8 - 0 False 2019-07-05 08:29:32.000000 N/A
772 264 LogonUI.exe 0xe801e00cd900 7 - 1 False 2019-07-05 08:29:32.000000 N/A
248 264 dwm.exe 0xe801e016c900 6 - 1 False 2019-07-05 08:29:32.000000 N/A
916 800 svchost.exe 0xe001b8833900 15 - 0 False 2019-07-05 08:29:33.000000 N/A
1064 800 svchost.exe 0xe001b8831900 19 - 0 False 2019-07-05 08:29:33.000000 N/A
1088 800 svchost.exe 0xe001b882f900 42 - 0 False 2019-07-05 08:29:33.000000 N/A
1156 800 svchost.exe 0xe801e01f1080 23 - 0 False 2019-07-05 08:29:33.000000 N/A
1456 800 svchost.exe 0xe001bf483900 18 - 0 False 2019-07-05 08:29:35.000000 N/A
1600 800 spoolsv.exe 0xe001b9e71900 12 - 0 False 2019-07-05 08:29:36.000000 N/A
1624 800 svchost.exe 0xe001bf479900 8 - 0 False 2019-07-05 08:29:36.000000 N/A
1660 800 HealthService. 0xe801dfb0a900 27 - 0 False 2019-07-05 08:29:36.000000 N/A
1884 1668 TraceLogSM.exe 0xe001b89c4900 0 - 0 False 2019-07-05 08:29:38.000000 2019-07-05 08:29:38.000000
1908 1668 TraceLogSM.exe 0xe001b8e1f900 0 - 0 False 2019-07-05 08:29:38.000000 2019-07-05 08:29:38.000000
1928 800 mfemms.exe 0xe001b8e1d900 18 - 0 False 2019-07-05 08:29:38.000000 N/A
1964 800 agentwrap.exe 0xe001b8e03900 2 - 0 False 2019-07-05 08:29:39.000000 N/A
2000 1668 TraceLogSM.exe 0xe001bf7fc900 0 - 0 False 2019-07-05 08:29:39.000000 2019-07-05 08:29:39.000000
2008 1928 mfevtps.exe 0xe001bf7f6200 9 - 0 False 2019-07-05 08:29:39.000000 N/A
1548 800 sddsrv.exe 0xe001bfff3080 6 - 0 False 2019-07-05 08:29:40.000000 N/A
1792 800 snmp.exe 0xe001bfff9080 5 - 0 False 2019-07-05 08:29:40.000000 N/A
512 1964 MicrosoftDepen 0xe801e06cb780 7 - 0 False 2019-07-05 08:29:40.000000 N/A
1468 800 svchost.exe 0xe001c0496080 14 - 0 False 2019-07-05 08:29:40.000000 N/A
2056 800 pbx_exchange.e 0xe001c04c6900 2 - 0 True 2019-07-05 08:29:40.000000 N/A
2092 1668 TraceLogSM.exe 0xe001c0531900 0 - 0 False 2019-07-05 08:29:41.000000 2019-07-05 08:29:41.000000
2104 1668 TraceLogSM.exe 0xe001c052c900 0 - 0 False 2019-07-05 08:29:41.000000 2019-07-05 08:29:41.000000
2168 1928 mcshield.exe 0xe001c07f6900 192 - 0 False 2019-07-05 08:29:42.000000 N/A
2200 1928 mfeesp.exe 0xe001c0f3e340 61 - 0 False 2019-07-05 08:29:42.000000 N/A
2224 1928 mfefire.exe 0xe001c0526900 7 - 0 False 2019-07-05 08:29:42.000000 N/A
2240 1928 mfehcs.exe 0xe001c0f88080 89 - 0 False 2019-07-05 08:29:42.000000 N/A
2316 1928 mfetp.exe 0xe001bf53f080 50 - 0 False 2019-07-05 08:29:42.000000 N/A
2756 800 WinCollectSvc. 0xe001bf25a900 10 - 0 False 2019-07-05 08:29:43.000000 N/A
3000 800 nbdisco.exe 0xe001c1246900 8 - 0 False 2019-07-05 08:29:45.000000 N/A
2268 800 vnetd.exe 0xe001c1297080 3 - 0 False 2019-07-05 08:29:47.000000 N/A
2324 800 bpinetd.exe 0xe001c1282900 7 - 0 False 2019-07-05 08:29:48.000000 N/A
3224 800 bpcd.exe 0xe001c1371900 3 - 0 False 2019-07-05 08:29:48.000000 N/A
3516 2756 WinCollect.exe 0xe801e09f8900 45 - 0 False 2019-07-05 08:29:50.000000 N/A
3524 3516 conhost.exe 0xe801e0dce900 0 - 0 False 2019-07-05 08:29:50.000000 2019-08-05 04:53:10.000000
3768 800 svchost.exe 0xe801e0c9c180 143 - 0 False 2019-07-05 08:29:51.000000 N/A
3796 800 svchost.exe 0xe001b8ace900 3 - 0 False 2019-07-05 08:29:51.000000 N/A
4960 2200 mfecanary.exe 0xe001b8a246c0 2 - 0 False 2019-07-05 08:29:52.000000 N/A
5000 4960 conhost.exe 0xe001c2335080 0 - 0 False 2019-07-05 08:29:52.000000 2019-08-05 04:53:10.000000
5940 908 MonitoringHost 0xe801e0fa6600 64 - 0 False 2019-07-05 08:30:03.000000 N/A
5512 6080 csrss.exe 0xe001bc9b5900 9 - 2 False 2019-07-05 08:30:13.000000 N/A
2364 6080 winlogon.exe 0xe001c2333900 2 - 2 False 2019-07-05 08:30:13.000000 N/A
6228 2364 dwm.exe 0xe801e2bc0900 8 - 2 False 2019-07-05 08:30:13.000000 N/A
6540 1088 taskhostex.exe 0xe001c2268900 6 - 2 False 2019-07-05 08:30:18.000000 N/A
6600 3768 rdpclip.exe 0xe801e240d400 9 - 2 False 2019-07-05 08:30:18.000000 N/A
6788 6780 explorer.exe 0xe801e2217900 76 - 2 False 2019-07-05 08:30:21.000000 N/A
3156 800 msdtc.exe 0xe001c1d4b900 9 - 0 False 2019-07-05 08:31:51.000000 N/A
4188 6788 notepad++.exe 0xe801ea90a640 0 - 2 False 2019-07-09 08:07:44.000000 2019-07-09 08:19:18.000000
6444 7404 mmc.exe 0xe001c477c080 0 - 2 False 2019-07-11 06:22:41.000000 2019-07-11 06:24:03.000000
8024 6788 notepad++.exe 0xe001ba702080 0 - 2 False 2019-07-19 08:22:55.000000 2019-07-19 08:24:23.000000
7616 6788 notepad++.exe 0xe001bb046900 0 - 2 False 2019-07-19 08:24:36.000000 2019-07-22 05:22:45.000000
9364 6788 notepad++.exe 0xe001ba886900 0 - 2 False 2019-07-19 08:26:25.000000 2019-07-19 08:26:25.000000
10784 6788 notepad++.exe 0xe801f4ded900 0 - 2 False 2019-07-22 05:18:05.000000 2019-07-22 05:18:05.000000
12780 6788 notepad++.exe 0xe001c5c11900 0 - 2 False 2019-08-05 05:04:35.000000 2019-08-05 05:46:51.000000
2084 6788 mmc.exe 0xe001d5dbb900 15 - 2 False 2019-08-26 04:55:43.000000 N/A
11848 6788 cmd.exe 0xe001d148a700 1 - 2 False 2019-08-26 04:58:51.000000 N/A
8164 11848 conhost.exe 0xe801f39ec900 2 - 2 False 2019-08-26 04:58:51.000000 N/A
2856 11848 httpd.exe 0xe801f93384c0 1 - 2 False 2019-08-26 04:59:00.000000 N/A
4300 2856 httpd.exe 0xe801ecc8a900 67 - 2 False 2019-08-26 04:59:01.000000 N/A
9012 12036 conhost.exe 0xe8020bfe24c0 0 - 0 False 2019-08-27 02:00:06.000000 2019-08-27 02:01:17.000000
10432 12036 cmd.exe 0xe80207e48900 3 - 0 False 2019-08-27 02:00:07.000000 N/A
11736 10432 conhost.exe 0xe80200504080 2 - 0 False 2019-08-27 02:00:07.000000 N/A
7832 12036 cmd.exe 0xe802083c0900 3 - 0 False 2019-08-27 02:01:07.000000 N/A
2148 7832 conhost.exe 0xe001d5056900 2 - 0 False 2019-08-27 02:01:07.000000 N/A
1436 4504 conhost.exe 0xe001d067f700 0 - 0 False 2019-08-28 02:00:06.000000 2019-08-28 02:01:16.000000
4396 4504 cmd.exe 0xe001d2c4e700 3 - 0 False 2019-08-28 02:00:06.000000 N/A
8520 4396 conhost.exe 0xe001c18fb300 2 - 0 False 2019-08-28 02:00:06.000000 N/A
4528 4504 cmd.exe 0xe001cb1ed080 3 - 0 False 2019-08-28 02:01:06.000000 N/A
13112 4528 conhost.exe 0xe801e5fa2080 2 - 0 False 2019-08-28 02:01:06.000000 N/A
12672 14632 conhost.exe 0xe8020caa0900 0 - 0 False 2019-08-29 02:00:06.000000 2019-08-29 02:01:16.000000
3644 14632 cmd.exe 0xe8020d6fb080 3 - 0 False 2019-08-29 02:00:06.000000 N/A
1312 3644 conhost.exe 0xe001c5ad33c0 2 - 0 False 2019-08-29 02:00:06.000000 N/A
8140 14632 cmd.exe 0xe001cb3943c0 3 - 0 False 2019-08-29 02:01:06.000000 N/A
7652 8140 conhost.exe 0xe802083ba300 2 - 0 False 2019-08-29 02:01:06.000000 N/A
2828 3236 conhost.exe 0xe001d1f85080 0 - 0 False 2019-08-30 02:00:06.000000 2019-08-30 02:01:17.000000
4112 3236 cmd.exe 0xe001d7845080 3 - 0 False 2019-08-30 02:00:07.000000 N/A
7112 4112 conhost.exe 0xe001d820e900 2 - 0 False 2019-08-30 02:00:07.000000 N/A
11972 3236 cmd.exe 0xe001d78cb4c0 3 - 0 False 2019-08-30 02:01:07.000000 N/A
4148 11972 conhost.exe 0xe8020d974700 2 - 0 False 2019-08-30 02:01:07.000000 N/A
15284 15324 csrss.exe 0xe001d6fee900 9 - 7 False 2019-08-30 08:06:40.000000 N/A
10976 15324 winlogon.exe 0xe001d8804080 2 - 7 False 2019-08-30 08:06:40.000000 N/A
15248 10976 dwm.exe 0xe001d4ded900 8 - 7 False 2019-08-30 08:06:41.000000 N/A
11240 3768 rdpclip.exe 0xe801f7ab7900 5 - 7 False 2019-08-30 08:06:42.000000 N/A
14972 1088 taskhostex.exe 0xe001d5f1f080 4 - 7 False 2019-08-30 08:06:42.000000 N/A
9396 7376 explorer.exe 0xe801f0c6c340 36 - 7 False 2019-08-30 08:06:42.000000 N/A
11696 9396 notepad++.exe 0xe001cfd4b580 0 - 7 False 2019-08-30 08:11:52.000000 2019-08-30 08:13:28.000000
7972 9396 notepad++.exe 0xe001d8776900 2 - 7 True 2019-08-30 08:13:32.000000 N/A
5948 9396 notepad++.exe 0xe001d7767600 0 - 7 False 2019-08-30 10:09:53.000000 2019-08-30 10:09:54.000000
8700 9396 notepad++.exe 0xe001d0ab83c0 0 - 7 False 2019-08-30 10:10:36.000000 2019-08-30 10:10:37.000000
8044 9396 notepad++.exe 0xe001d64e4400 0 - 7 False 2019-08-30 10:10:46.000000 2019-08-30 10:10:47.000000
5844 9280 csrss.exe 0xe8020b26e080 9 - 8 False 2019-08-30 10:24:56.000000 N/A
11924 9280 winlogon.exe 0xe8020a06a080 4 - 8 False 2019-08-30 10:24:56.000000 N/A
9476 11924 dwm.exe 0xe801f63f6080 8 - 8 False 2019-08-30 10:24:57.000000 N/A
12996 1088 taskhostex.exe 0xe8020b8fe900 4 - 8 False 2019-08-30 10:25:00.000000 N/A
6824 3768 rdpclip.exe 0xe801f8720900 7 - 8 False 2019-08-30 10:25:00.000000 N/A
1688 7532 explorer.exe 0xe001ca90f400 33 - 8 False 2019-08-30 10:25:04.000000 N/A
4436 1688 mmc.exe 0xe8020c5f1080 2 - 8 False 2019-08-30 10:26:56.000000 N/A
7804 9396 notepad++.exe 0xe001d3407480 0 - 7 False 2019-08-30 10:48:12.000000 2019-08-30 10:48:13.000000
3100 9396 notepad++.exe 0xe001d0257380 0 - 7 False 2019-08-30 10:49:19.000000 2019-08-30 10:49:20.000000
6880 7204 mmc.exe 0xe001d2dce440 3 - 2 False 2019-08-30 11:23:15.000000 N/A
8432 9620 mmc.exe 0xe801e7add900 16 - 8 False 2019-08-30 14:20:26.000000 N/A
14708 14288 conhost.exe 0xe8020a32c3c0 0 - 0 False 2019-08-31 02:00:06.000000 2019-08-31 02:01:16.000000
15288 14288 cmd.exe 0xe8020bdaa900 3 - 0 False 2019-08-31 02:00:06.000000 N/A
9620 15288 conhost.exe 0xe8020d056900 2 - 0 False 2019-08-31 02:00:06.000000 N/A
3824 14288 cmd.exe 0xe8020d6b9900 3 - 0 False 2019-08-31 02:01:06.000000 N/A
12132 3824 conhost.exe 0xe801f70a0900 2 - 0 False 2019-08-31 02:01:06.000000 N/A
7468 3256 conhost.exe 0xe001d079a900 0 - 0 False 2019-09-01 02:00:06.000000 2019-09-01 02:01:17.000000
4360 3256 cmd.exe 0xe802091fe740 3 - 0 False 2019-09-01 02:00:06.000000 N/A
13136 4360 conhost.exe 0xe001cfe57900 2 - 0 False 2019-09-01 02:00:06.000000 N/A
8864 3256 cmd.exe 0xe001d84aa700 3 - 0 False 2019-09-01 02:01:07.000000 N/A
13704 8864 conhost.exe 0xe8020a184900 2 - 0 False 2019-09-01 02:01:07.000000 N/A
5644 9504 conhost.exe 0xe001cbf60900 0 - 0 False 2019-09-02 02:00:06.000000 2019-09-02 02:01:17.000000
12524 9504 cmd.exe 0xe001cf6a3280 3 - 0 False 2019-09-02 02:00:07.000000 N/A
12664 12524 conhost.exe 0xe001d9114080 2 - 0 False 2019-09-02 02:00:07.000000 N/A
7752 9504 cmd.exe 0xe001d6dd7900 3 - 0 False 2019-09-02 02:01:07.000000 N/A
12172 7752 conhost.exe 0xe001d496a080 2 - 0 False 2019-09-02 02:01:07.000000 N/A
11012 15332 conhost.exe 0xe001da5f2080 0 - 0 False 2019-09-03 02:00:06.000000 2019-09-03 02:01:16.000000
11324 15332 cmd.exe 0xe001d9ce8080 3 - 0 False 2019-09-03 02:00:06.000000 N/A
3272 11324 conhost.exe 0xe001d5d03900 2 - 0 False 2019-09-03 02:00:06.000000 N/A
14604 15332 cmd.exe 0xe001d92946c0 3 - 0 False 2019-09-03 02:01:06.000000 N/A
9996 14604 conhost.exe 0xe801f6dd3900 2 - 0 False 2019-09-03 02:01:06.000000 N/A
8500 9396 notepad++.exe 0xe001dbc94240 0 - 7 False 2019-09-03 05:46:59.000000 2019-09-03 05:47:02.000000
8396 9396 notepad++.exe 0xe001d72bc900 0 - 7 False 2019-09-03 05:47:10.000000 2019-09-03 05:47:11.000000
13836 9396 notepad++.exe 0xe001d9911900 0 - 7 False 2019-09-03 05:48:23.000000 2019-09-03 05:48:24.000000
8760 9396 notepad++.exe 0xe001daf04080 0 - 7 False 2019-09-03 08:08:03.000000 2019-09-03 08:08:04.000000
14008 908 explorer.exe 0xe001d9e0d380 6 - 7 False 2019-09-03 08:12:06.000000 N/A
13452 9396 notepad++.exe 0xe001d79303c0 0 - 7 False 2019-09-03 08:12:17.000000 2019-09-03 08:12:18.000000
6512 1112 conhost.exe 0xe8020f3aa900 0 - 0 False 2019-09-04 02:00:06.000000 2019-09-04 02:01:17.000000
7948 1112 cmd.exe 0xe8020be40480 3 - 0 False 2019-09-04 02:00:06.000000 N/A
10580 7948 conhost.exe 0xe801ef8c6900 2 - 0 False 2019-09-04 02:00:06.000000 N/A
11356 1112 cmd.exe 0xe80209374900 3 - 0 False 2019-09-04 02:01:07.000000 N/A
11096 11356 conhost.exe 0xe001d0821080 2 - 0 False 2019-09-04 02:01:07.000000 N/A
8968 8720 conhost.exe 0xe8020e47d480 0 - 0 False 2019-09-05 02:00:06.000000 2019-09-05 02:01:17.000000
6888 8720 cmd.exe 0xe801f79d0280 3 - 0 False 2019-09-05 02:00:06.000000 N/A
3904 6888 conhost.exe 0xe801e67d4080 2 - 0 False 2019-09-05 02:00:06.000000 N/A
7756 8720 cmd.exe 0xe8020c213580 3 - 0 False 2019-09-05 02:01:07.000000 N/A
5908 7756 conhost.exe 0xe001d8b4a300 2 - 0 False 2019-09-05 02:01:07.000000 N/A
12032 15240 conhost.exe 0xe8020a3c7900 0 - 0 False 2019-09-06 02:00:06.000000 2019-09-06 02:01:17.000000
9008 15240 cmd.exe 0xe801f4eca900 3 - 0 False 2019-09-06 02:00:06.000000 N/A
12848 9008 conhost.exe 0xe801e5fda900 2 - 0 False 2019-09-06 02:00:06.000000 N/A
8504 15240 cmd.exe 0xe801e6510580 3 - 0 False 2019-09-06 02:01:07.000000 N/A
14324 8504 conhost.exe 0xe001d9d31340 2 - 0 False 2019-09-06 02:01:07.000000 N/A
14804 13072 conhost.exe 0xe001dfa316c0 0 - 0 False 2019-09-07 02:00:06.000000 2019-09-07 02:01:17.000000
3980 13072 cmd.exe 0xe001dab734c0 3 - 0 False 2019-09-07 02:00:06.000000 N/A
9140 3980 conhost.exe 0xe001c9a5c340 2 - 0 False 2019-09-07 02:00:06.000000 N/A
14544 13072 cmd.exe 0xe001e039c080 3 - 0 False 2019-09-07 02:01:07.000000 N/A
13036 14544 conhost.exe 0xe8020d9f9900 2 - 0 False 2019-09-07 02:01:07.000000 N/A
8756 4532 conhost.exe 0xe8020dd61900 0 - 0 False 2019-09-08 02:00:06.000000 2019-09-08 02:01:17.000000
1180 4532 cmd.exe 0xe801f8816900 3 - 0 False 2019-09-08 02:00:06.000000 N/A
6420 1180 conhost.exe 0xe801e5ff2900 2 - 0 False 2019-09-08 02:00:06.000000 N/A
7316 4532 cmd.exe 0xe801f59e1240 3 - 0 False 2019-09-08 02:01:07.000000 N/A
8404 7316 conhost.exe 0xe001d970c900 2 - 0 False 2019-09-08 02:01:07.000000 N/A
8644 13264 conhost.exe 0xe001ca054280 0 - 0 False 2019-09-09 02:00:06.000000 2019-09-09 02:01:16.000000
1412 13264 cmd.exe 0xe001d870c580 3 - 0 False 2019-09-09 02:00:06.000000 N/A
3384 1412 conhost.exe 0xe001df5fc340 2 - 0 False 2019-09-09 02:00:06.000000 N/A
12956 13264 cmd.exe 0xe001d3501380 3 - 0 False 2019-09-09 02:01:06.000000 N/A
10856 12956 conhost.exe 0xe801f7b7b640 2 - 0 False 2019-09-09 02:01:06.000000 N/A
11312 6892 conhost.exe 0xe801f5ba5900 0 - 0 False 2019-09-10 02:00:06.000000 2019-09-10 02:01:17.000000
8996 6892 cmd.exe 0xe801f6d4d080 3 - 0 False 2019-09-10 02:00:06.000000 N/A
6360 8996 conhost.exe 0xe8020cf45480 2 - 0 False 2019-09-10 02:00:07.000000 N/A
9460 6892 cmd.exe 0xe8020a306080 3 - 0 False 2019-09-10 02:01:07.000000 N/A
12756 9460 conhost.exe 0xe001c9f22680 2 - 0 False 2019-09-10 02:01:07.000000 N/A
11700 10520 conhost.exe 0xe80208743800 0 - 0 False 2019-09-11 02:00:06.000000 2019-09-11 02:01:17.000000
14844 10520 cmd.exe 0xe8020b79b2c0 3 - 0 False 2019-09-11 02:00:07.000000 N/A
10588 14844 conhost.exe 0xe80206d9e900 2 - 0 False 2019-09-11 02:00:07.000000 N/A
10012 10520 cmd.exe 0xe801f7b53580 3 - 0 False 2019-09-11 02:01:07.000000 N/A
10608 10012 conhost.exe 0xe001bac65900 2 - 0 False 2019-09-11 02:01:07.000000 N/A
13892 11924 wlrmdr.exe 0xe801e7e76900 0 - 8 False 2019-09-19 06:15:26.000000 2019-09-19 06:15:29.000000
15492 5940 cscript.exe 0xe801df8f1440 0 - 0 False 2019-09-19 06:20:12.000000 2019-09-19 06:20:12.000000
Traceback (most recent call last):
File "vol.py", line 10, in
File "volatility\cli_init_.py", line 442, in main
File "volatility\cli_init_.py", line 269, in run
File "volatility\cli\text_renderer.py", line 159, in render
File "volatility\framework\renderers_init_.py", line 196, in populate
File "volatility\framework\plugins\windows\pslist.py", line 137, in generator
File "volatility\framework\objects_init.py", line 681, in getattr
File "volatility\framework\objects\templates.py", line 72, in call
File "volatility\framework\objects_init_.py", line 113, in new
File "volatility\framework\objects_init_.py", line 284, in _unmarshall
File "volatility\framework\interfaces\layers.py", line 492, in read
File "volatility\framework\layers\linear.py", line 37, in read
File "volatility\framework\layers\intel.py", line 195, in mapping
File "volatility\framework\layers\intel.py", line 317, in _translate
File "volatility\framework\layers\intel.py", line 275, in _translate_swap
File "volatility\framework\layers\intel.py", line 100, in _translate
File "volatility\framework\layers\intel.py", line 126, in _translate_entry
volatility.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page directory pointer
[1828] Failed to execute script vol
9934435196969 121424789660004 d, error, highl 0xe001dec933c0 640032876 - - True - N/A
--------------------------------------------------------------------------------------------------------------
I tried another host, again captured via redline. This time volitality didn't gave me the earlier symbols error:
C:>vol.exe -vvv -f w32memory-acquisition-100.urn_uuid_32a91b60-c2ae-4c39-be81-40c5f7e66389.dat windows.pslist
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['C:\plugins', 'C:\Users\Maash\AppData\Local\Temp\_MEI107842\volatility\plugins', 'C:\Users\Maash\AppData\Local\Temp\_MEI107842\volatility\framework\plugins']
INFO root : Volatility symbols path: ['C:\symbols', 'C:\Users\Maash\AppData\Local\Temp\_MEI107842\volatility\symbols', 'C:\Users\Maash\AppData\Local\Temp\_MEI107842\volatility\framework\symbols']
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x640000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - using KDBG structure for kernel offset
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - testing fixed base address
DEBUG volatility.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0x82800000
INFO volatility.framework.automagic.pdbscan: No suitable kernels found during pdbscan
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']
from volatility3.
ikelos
commented on August 21, 2024
@araaj Thanks, for trying again. Acquisition issues can make it difficult for volatility to complete its job and there's not a great deal we can do about that I'm afraid.
The second issue you've mentioned, the first run seems like it ran fine, but the encountered an invalid address during the processing of the pslist linked list. We now try hard not to hide errors from users, but allow them to make an informed decision about the results they've got. So in this instance, it output as much as it could, but then failed and showed you where and why it failed:
volatility.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page directory pointer
which suggests one of the pages that the page directory pointed as was invalid.
The second run is more interesting, and again it may be an acquisition issue, whereby it tried all three kernel detection methods it has, and the third one found a potential DTB at 0x82800000, which it then tried to reference, but it turned out that address wasn't valid. Again, not sure what to suggest, but it sounds as though the imaging tool isn't necessarily taking a complete capture? I'm not sure how to help more on that front... 5:S
from volatility3.
ikelos
commented on August 21, 2024
It doesn't look like there's much more progress to be made on this, although we have now made the exceptions hopefully more helpful, so I'm going to close it. As always, please feel free to reopen it if you think it's been closed in error or there's still more that could be done... 5:)
from volatility3.
Related Issues (20)
- WARNING volatility3.framework.plugins: Automagic exception occurred: volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries HOT 6
- Command missing in the Volatility Workbench HOT 3
- Volatility robust documentation HOT 1
- linux.mountinfo.MountInfo: broken on kernel 6.8+ HOT 3
- Beginner Question: support for linux coredumps? HOT 4
- Critical bug in VADs Yara scanning due to scanning only one page at a time HOT 1
- Full pip install breaks on Mac systems due to leechcore issues HOT 1
- Update vmayarascan with full vma scan HOT 7
- Broken capstone install on Apple Silicon Macs (arm64) HOT 6
- windows.vadyarascan broken HOT 1
- linux_find_file plugin from vol2 to vol3,please HOT 3
- pdbconv broke on NDIS PDB from Win10 x64 version 17763 HOT 1
- Failed to import Yara library HOT 1
- format_hints throws TypeError when using UnreadableValue HOT 1
- Backtrace in Windows automagic HOT 3
- Python 3.12 - IMP repreciated - hashdump plugin fails to load HOT 4
- Issue with Running All Plugins on Volatility 3 for AWS Workspaces Memory Images, error A symbol table requirement was not fulfilled. HOT 12
- Unable to validate the plugin requirements: plugins.Info.kernel.symbol_table_name with any DUMP file HOT 2
- Rework the config system to allow automagic to use partial configs
- windows.netstat.NetStat - Unable to validate the plugin requirements. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility3.