Closed sluke-nuix closed 52 minutes ago
sluke-nuix
commented
8 months ago A few extra comments:
ikelos
commented
8 months ago Hi, volatility 3 doesn't read pdb files directly, they need converting into JSON, but volatility should have found a windows signature and generated it automatically if you were providing a raw memory file. Instead, you appear to have provided a MS Windows 64bit crash dump which apparently our crashdump reader can't handle. We do support the crashdump format, but only specific dump types (ie, not partial dumps, only complete memory dumps).
Apparently we currently suppress Format exceptions, rather than reporting on them (which isn't right), but my guess would be that your crashdump file isn't the right format...
ikelos
commented
8 months ago I've just pushed a new commit (9edf33b7) that should improve debugging output with -vvvvvvv to tell you why the crashdump format isn't supported.
sluke-nuix
commented
8 months ago volatility 3 doesn't read pdb files directly, they need converting into JSON
Sorry, I guess the tree command isn't clear here. It actually lists only the directories, under the .pdb directories are all the .json files that were generated: it was a long list of json files so I didn't want to spam the text with something that listed them (which is why I used tree instead of dir /s.
I will try the new version to see if it is clearer. Thanks.
sluke-nuix
commented
8 months ago New (partial) log output:
First, during processing I get lots of lines like this:
Level 8 volatility3.framework.automagic.symbol_cache: Identified file:///C:/DevRepo/bbbbb/code/volatility3/volatility3/symbols/windows/windows/ntkrnlpa.pdb/E086B943FAE142BEBD7E5F280ADF1458-5.json.xz as b'ntkrnlpa.pdb|E086B943FAE142BEBD7E5F280ADF1458|5'
With occasional lines like this:
Level 6 volatility3.framework.automagic.symbol_cache: No identifier found for file:///C:/DevRepo/bbbbb/code/volatility3/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json
Below is the interesting part:
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6 volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 7 volatility3.framework.automagic.stacker: Exception during stacking: catching classes that do not inherit from BaseException is not allowed
Level 6 volatility3.framework.automagic.stacker: Traceback (most recent call last):
File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 265, in stack
layer.check_header(context.layers[layer_name])
File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 232, in check_header
raise WindowsCrashDumpFormatException(
volatility3.framework.layers.crash.WindowsCrashDumpFormatException: Invalid dump 0x34365544 at file offset 0x0
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\automagic\stacker.py", line 216, in stack_layer
new_layer = stacker.stack(context, initial_layer, progress_callback)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 271, in stack
except (WindowsCrashDump32Layer, WindowsCrashDump64Layer) as excp:
TypeError: catching classes that do not inherit from BaseException is not allowed
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']I guess the important parts are the Bad magic 0x45474150 at file offset 0x0 and Invalid dump 0x34365544 at file offset 0x0. But also interesting is the part that follows: TypeError: catching classes that do not inherit from BaseException is not allowed.
Still, that isn't pertinent to this. I guess the "Invalid dump" supports your statement that this is a non-supported dump file, and I will have to use a different means to generate it. Thanks.
ikelos
commented
8 months ago Sorry, some of that was a slight mistake on my part, you should probably give it another go, the error above was likely from attempting to stack the 32-bit crash dump layer (which expects the start bytes to be DUMP). It should've gotten past that but my mistake made it throw an error. The actual header is DU64, which we are supposed to support, so that's probably not where the problem lies...
ikelos
commented
8 months ago Commit 8dbc64f4 should function better (and hopefully will tell you why it's not happy) (the "bad magic" messages are from the Elf and XenCore stackers, so can be safely ignored.
sluke-nuix
commented
8 months ago here is the latest results (cutting to after the JSON file parsing):
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6 volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 6 volatility3.framework.layers.crash: Exception reading crashdump: Invalid dump 0x34365544 at file offset 0x0
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in C:\projects\aaaa\bbbbb\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in C:\projects\aaaa\bbbbb\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
Level 6 volatility3.framework.layers.crash: unsupported dump format 0x6
Level 6 volatility3.framework.layers.crash: Exception reading crashdump: unsupported dump format 0x6
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']Where we see
Level 6 volatility3.framework.layers.crash: unsupported dump format 0x6
Level 6 volatility3.framework.layers.crash: Exception reading crashdump: unsupported dump format 0x6Yep, this is just a partial crashdump, as indicated by unsupported dump format 0x6. Volatility doesn't support partial crashdumps because we can't know what has and hasn't been included. There is a pull request #656 that might be able to get you further because it accepts dump type 0x06 but as I say, a partial memory dump will likely lead to a lot of open bugs that we simply can't help with...
github-actions[bot]
commented
2 months ago This issue is stale because it has been open for 200 days with no activity.
github-actions[bot]
commented
52 minutes ago This issue was closed because it has been inactive for 60 days since being marked as stale.
Describe the bug I am trying to analyze a memory DMP file generated from Microsoft's 'NotMyFault' tool, but it consistently fails with:
Context Volatility Version: Volatility 3 Framework 2.7.0 Operating System: Windows 10 x64 Python Version: Python 3.12.0 Suspected Operating System: Windows 10 x64 (same computer) Command:
vol.py windows.infoandvol.py windows.pslistTo Reproduce Steps to reproduce the behavior:
warning This will actually cause a bluescreen / crash. Don't do it until you are ready!! Generate a Windows Crash Dump with the Sysinternals NotMyFault tool (https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault). Then follow the below commands:
%py_cmd% vol.py -vvvvvvv -f C:\projects\aaaa\bbbbb\MEMORY.DMP windows.infoExpected behavior For windows.info, I would expect a formatted output describing the memory dump file. For windows.pslist I would expect there to be a process list table.
Example output
The is the file type:
I know from other questions here that minidumps aren't supported. The website says crashdumps are: The FAQ
I also already have the symbols for Windows:
When I run the command I get this output:
Additional information If I run the same command using a .raw file generated from
winpmemI get appropriate outputs for both windows.info and windows.pslist.