Comments (15)
ikelos
commented on August 21, 2024
1
Actually the vol 2 imageinfo output helped more, the image you're testing is an elf file and the beta doesn't yet support loading those I'm afraid.
I'll leave this bug open and change the title when I get chance and we'll make it the tracker for adding elf file support.
An immediate work around would be to use imagecopy from vol2 to get a real raw image and then you should be fine running analysis off that until we get support written in. 5:)
from volatility3.
ikelos
commented on August 21, 2024
Hiya, thanks for doing the introductory diagnostics for us. If it isn't finding the DTB, that's a bit of an issue. Does vol 2 tell you where it is? If so, you can write it into a configuration file to force vol 3 to know where it is, but I'd like to get a little more information if possible. Could you please attach a copy of the -vvv output so we can look through it please?
In answer to your other questions, yes, we've tested it on many different images ranging from XP through to Windows 10 (and several server versions on the way). Windows 7 is included in that, but as you pointed out, if it can't identify the DTB then this is before it even tries to do the windows part, it's still on the Intel part.
from volatility3.
koromodako
commented on August 21, 2024
@ikelos, here is volatility2 output:
> $ volatility -f /home/user/win7sp1x64.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/user/win7sp1x64.dmp)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002840120L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002842000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-08-05 17:12:32 UTC+0000
Image local date and time : 2019-08-05 19:12:32 +0200
And here is volatility3 complete output using -vvv:
> $ volatility3 -vvv -s /home/user/volatility3-symbols -f /home/user/win7sp1x64.dmp windows.statistics.Statistics
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/plugins', '/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/volatility3-symbols', '/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/symbols', '/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/framework/symbols']
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
INFO volatility.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Unsatisfied requirement plugins.Statistics.primary: Memory layer for the kernel
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.Statistics.primary']
I hope it helps !
from volatility3.
ikelos
commented on August 21, 2024
Hi there, so there's a branch available for testing now called elf64-support. It's extremely preliminary, but if you could test it and tell me if it resolves your problem then I can move towards putting it forward for review as a pull request. 5:)
from volatility3.
koromodako
commented on August 21, 2024
I noticed the elf layer in the debug output below but the problem remains the same:
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Unsatisfied requirement plugins.Statistics.primary: Memory layer for the kernel
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.Statistics.primary']
FYI I created the dump using the following command:
VBoxManage.exe debugvm "vm-name" dumpvmcore --filename "vm-name.mem"
The workaround worked well by the way, thanks.
Let me know if you need more information about the dump itself.
from volatility3.
ikelos
commented on August 21, 2024
Hmmm, so it looks like it thought the Elf file wasn't valid (otherwise the line DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer'] should have mentioned ElfLayer). Could you run file on the image and let me know what it says? If you have a machine you're willing to share the memory image for, that would be extremely useful for debugging and figuring out what's going on (at the moment I'm basing it off the specification)... 5:)
from volatility3.
koromodako
commented on August 21, 2024
File gives me: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
Have you considered porting the working code part of volatility2 ? This file seems interesting: elfcoredump.py
from volatility3.
ikelos
commented on August 21, 2024
Hmmm, I'd have expected that to work. 5:S Ok, cool, thanks for the info. I'll keep tinkering and see if I can spot something obvious I've missed and/or improve the logging.
I have considered porting the volatility2 code, but since the license is different and we've been quite careful not to cross-contaminate I'd prefer to keep doing it from scratch (particularly as it seems fairly straight forward). I've just installed qemu to spin up some VMs and I'll see if I can generate some images for myself that I can then use to get the code working. I should also be able to do the same with virtualbox, it's just a matter of time... 5:)
from volatility3.
koromodako
commented on August 21, 2024
Ok thanks, I didn't check the license ! May the force be with you !
from volatility3.
ikelos
commented on August 21, 2024
Ok, I've fixed an issue with virtualbox files, so anyone that was experiencing issues, please update the branch and try again, and let me know if that worked... 5:)
from volatility3.
koromodako
commented on August 21, 2024
Sorry for the length of the message...
Now Elf64Layer is stacked (perfect 👍) and two new/different issues are raised.
I think that they might still be linked to the stack layer itself as a raw image converted
with vol2 works with vol3 (I mean nt_symbols can be found and used automatically, etc.).
When I tried to run windows.statistics:
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x187000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer.base_layer
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Valid pages (all) Valid pages (large) Swapped Pages (all) Swapped Pages (large) Invalid Pages (all) Invalid Pages (large)
Traceback (most recent call last):ading memory
File "/home/user/vol3", line 11, in <module>
load_entry_point('volatility', 'console_scripts', 'vol')()
File "/home/user/volatility3/volatility/cli/__init__.py", line 442, in main
CommandLine().run()
File "/home/user/volatility3/volatility/cli/__init__.py", line 269, in run
renderers[args.renderer]().render(constructed.run())
File "/home/user/volatility3/volatility/cli/text_renderer.py", line 159, in render
grid.populate(visitor, outfd)
File "/home/user/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
for (level, item) in self._generator:
File "/home/user/volatility3/volatility/plugins/windows/statistics.py", line 33, in _generator
_, _, page_size, layer_name = list(layer.mapping(page_addr, 0x2000))[0]
File "/home/user/volatility3/volatility/framework/layers/intel.py", line 198, in mapping
raise exceptions.InvalidAddressException(layer_name = layer_name, invalid_address = chunk_offset)
volatility.framework.exceptions.InvalidAddressException
And windows.pslist plugin:
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x187000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer.base_layer
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - using KDBG structure for kernel offset
INFO volatility.framework.symbols.windows.pdbconv: Download PDB file...
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/ntkrnlmp.pd_
DEBUG volatility.framework.symbols.windows.pdbconv: Failed with HTTP Error 404: Not Found
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/ntkrnlmp.pdb
DEBUG volatility.framework.symbols.windows.pdbconv: Successfully written to /tmp/tmp10bx0m1k.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None2E0158E1/ntkrnlmp.pdb
WARNING volatility.framework.plugins: Automagic exception occured: TypeError: __new__() missing 4 required positional arguments: 'type_name', 'object_info', 'base_type', and 'choices'
Level 9 volatility.framework.plugins: Traceback (most recent call last):
File "/home/user/volatility3/volatility/framework/automagic/__init__.py", line 129, in run
automagic(context, config_path, requirement, progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 479, in __call__
self.recurse_symbol_fulfiller(context, valid_kernels, progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 209, in recurse_symbol_fulfiller
self.download_pdb_isf(kernel['GUID'], kernel['age'], kernel['pdb_name'], progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 253, in download_pdb_isf
json_output = pdbconv.PdbReader(self.context, location, progress_callback).get_json()
File "/home/user/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 263, in __init__
self._layer_name, self._context = self.load_pdb_layer(context, location)
File "/home/user/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 299, in load_pdb_layer
new_context = context.clone()
File "/home/user/volatility3/volatility/framework/interfaces/context.py", line 94, in clone
return copy.deepcopy(self)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 215, in _deepcopy_list
append(deepcopy(a, memo))
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 220, in _deepcopy_tuple
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 220, in <listcomp>
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 274, in _reconstruct
y = func(*args)
File "/usr/lib/python3.7/copy.py", line 273, in <genexpr>
args = (deepcopy(arg, memo) for arg in args)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 220, in _deepcopy_tuple
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 220, in <listcomp>
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 274, in _reconstruct
y = func(*args)
File "/usr/lib/python3.7/copyreg.py", line 88, in __newobj__
return cls.__new__(cls, *args)
TypeError: __new__() missing 4 required positional arguments: 'type_name', 'object_info', 'base_type', and 'choices'
Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']
I voluntarily skipped the Import module debug messages as they seem irrelevant here.
from volatility3.
ikelos
commented on August 21, 2024
Thanks, I've had someone else report on the second issue you encountered. Could you please file them both as separate issues and then we can try and get through them without losing track... 5:)
from volatility3.
koromodako
commented on August 21, 2024
Ok this issue seems solved then, close it whenever you want.
I'm filling two new separate issues.
Thanks
from volatility3.
ikelos
commented on August 21, 2024
Thanks, I'll close this off once the pull request goes through. 5:)
from volatility3.
ikelos
commented on August 21, 2024
Ok, the Elf64 support got merged, so I'll be closing off this ticket. Do please open another ticket if you notice any bugs or problems with it... 5:)
from volatility3.
Related Issues (20)
- windows.malfind not saving the contents of injected processes to the specified directory. HOT 2
- Please add windows.apihooks as existing on version 2
- Update windows vadyarascan plugin HOT 1
- Volatility3 linux.check_afinfo.Check_afinfo plugin error HOT 5
- Symbol _ETHREAD not in symbol table/symbol table not found HOT 1
- linux.kmsg.Kmsg returning Page error HOT 24
- Yarascan process_yara_options method needs updating to ensure requirements and processing options remain in sync HOT 3
- Missing plugins from blog posts from volatility labs HOT 2
- Add support for determining/filtering symbol tables HOT 2
- Duplicate Enum value in `bpf_map_type` HOT 2
- ValueError: negative shift count for volshell.py dt( ps()[0] ) HOT 3
- Linux: Kmsg Unsupported kernel implementation - 3.2 HOT 16
- `kernel_cap_struct` still required despite #997 HOT 1
- Issue with symbol table HOT 1
- Can't find symbols for Windows Sandbox memory image
- Build a UI based way of choosing columns to display
- Not able to download requirements.txt for Volatility 3-1.0.0 HOT 1
- Ubuntu 22.04 Unresolved Reference HOT 7
- linux: `module_layout` is replaced by `module_memory` as of 6.4 HOT 6
- Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected. HOT 26
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility3.