search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Symbols table requirement not being fulfilled #1133

Closed Prosquadmama closed 5 months ago

Prosquadmama commented 6 months ago

Describe the bug

PS C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2> python .\vol.py -vvv -f C:\Users\arham\volatility3-2.5.2\DF7606.mem windows.info Volatility 3 Framework 2.5.2 INFO volatility3.cli: Volatility plugins path: ['C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\plugins', 'C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\symbols', 'C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\symbols'] INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1aa000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1aa000 Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 2147418111 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80312818000 INFO volatility3.framework.symbols.windows.pdbconv: Download PDB file... DEBUG volatility3.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/D9424FC4861E47C10FAD1B35DEC6DCC81/ntkrnlmp.pdb DEBUG volatility3.framework.layers.resources: Using already cached file at: C:\Users\arham\AppData\Roaming\volatility3\data_507594f7f68dd8c7e4e66e25c265bdb9d1b89352d9ea4f6ed49fcef93f772da18d8789ca49446ecd75ad6f78363f97ca96076448a0d0235ab37706c0b31a0881.cache Progress: 100.00 Downloading http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/D9424FC4861E47C10FAD1B35DEC6DCC81DEBUG volatility3.framework.layers.resources: Using already cached file at: C:\Users\arham\AppData\Roaming\volatility3\data_507594f7f68dd8c7e4e66e25c265bdb9d1b89352d9ea4f6ed49fcef93f772da18d8789ca49446ecd75ad6f78363f97ca96076448a0d0235ab37706c0b31a0881.cache INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name WARNING volatility3.framework.plugins: Automagic exception occurred: volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries Level 9 volatility3.framework.plugins: Traceback (most recent call last): File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\automagic__init.py", line 138, in run automagic(context, config_path, requirement, progress_callback) File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\automagic\pdbscan.py", line 448, in call self.recurse_symbol_fulfiller( File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\automagic\pdbscan.py", line 123, in recurse_symbol_fulfiller PDBUtility.load_windows_symbol_table( File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\symbols\windows\pdbutil.py", line 114, in load_windows_symbol_table cls.download_pdb_isf( File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\symbols\windows\pdbutil.py", line 275, in download_pdb_isf json_output = pdbconv.PdbReader( ^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\symbols\windows\pdbconv.py", line 128, in init self._layer_name, self._context = self.load_pdb_layer(context, location) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\symbols\windows\pdbconv.py", line 196, in load_pdb_layer msf_layer.read_streams() File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\layers\msf.py", line 84, in read_streams "root", self._header.StreamInfo.StreamInfoSize, [x for x in root_pages] ^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\layers\msf.py", line 84, in "root", self._header.StreamInfo.StreamInfoSize, [x for x in root_pages] ^^^^^^^^^^^^^^^^^^^^^^^ File "", line 993, in iter File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\objects__init.py", line 794, in getitem__ result += [self.vol.subtype(context=self._context, object_info=object_info)] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\objects\templates.py", line 96, in call return self.vol.object_class( ^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\objects__init.py", line 168, in new__ value = cls._unmarshall(context, data_format, object_info) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\objects\init__.py", line 202, in _unmarshall data = context.layers.read( ^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\interfaces\layers.py", line 638, in read return self[layer].read(offset, length, pad) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\layers\linear.py", line 63, in read self._context.layers.read(layer, mapped_offset, mapped_length, pad) File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\interfaces\layers.py", line 638, in read return self[layer].read(offset, length, pad) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\layers\linear.py", line 63, in read self._context.layers.read(layer, mapped_offset, mapped_length, pad) File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\interfaces\layers.py", line 638, in read return self[layer].read(offset, length, pad) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2\volatility3\framework\layers\physical.py", line 161, in read raise exceptions.InvalidAddressException( volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries

Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name'] PS C:\Users\arham\volatility3-2.5.2\volatility3-2.5.2>

ikelos commented 5 months ago

Ok, so having been provided a copy of this memory image, it worked absolutely fine straight off the bat? Volatility downloaded the pdb file, generated the JSON ISF file, and ran appropriately, for both windows.info:

Volatility 3 Framework 2.7.0
Progress:  100.00       PDB scanning finished                                                                                              
Variable    Value

Kernel Base 0xf80312818000
DTB 0x1aa000
Symbols file:///home/personal/workspace/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/D9424FC4861E47C10FAD1B35DEC6DCC8-1.json.xz
Is64Bit True
IsPAE   False
layer_name  0 WindowsIntel32e
memory_layer    1 FileLayer
KdVersionBlock  0xf80313427400
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors  2
SystemTime  2024-04-17 01:32:38
NtSystemRoot    C:\Windows
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine  34404
PE TimeDateStamp    Mon Dec  9 11:07:51 2019

and windows.pslist:

Volatility 3 Framework 2.7.0
Progress:  100.00       PDB scanning finished                        
PID PPID    ImageFileName   Offset(V)   Threads Handles SessionId   Wow64   CreateTime  ExitTime    File output

4   0   System  0xa10fd1261040  111 -   N/A False   2024-04-16 23:42:33.000000  N/A Disabled
92  4   Registry    0xa10fd13aa040  4   -   N/A False   2024-04-16 23:42:24.000000  N/A Disabled
316 4   smss.exe    0xa10fd22b22c0  2   -   N/A False   2024-04-16 23:42:33.000000  N/A Disabled
412 396 csrss.exe   0xa10fd1a1d080  10  -   0   False   2024-04-16 23:42:54.000000  N/A Disabled
488 396 wininit.exe 0xa10fe2f1a080  1   -   0   False   2024-04-16 23:42:55.000000  N/A Disabled
...

I've attached the D9424FC4861E47C10FAD1B35DEC6DCC8-1.json file to verify that it works properly when put into the volatility3/symbols directory.

From initial report, this wasn't working at all, and this attempt now includes a failure during the PDB parsing, so I'd recommend trying with an empty cache (create a directory and then use --cache-path to point to that directory) and check if the error message still happens. If produces the same error, then we can try to manually generate the symbols and see if that causes a problem, if the error message is different, then we'll need to see what it is and try to fix that message.

Prosquadmama commented 5 months ago

It works now , thanks alot!! Seems like the json file was missing, although i downloaded the exact symbols folder from here.

ikelos commented 5 months ago

The symbols pack is a bit old and doesn't contain all symbols, but for windows images volatility should be able to go off and find them automatically (as mine did, and yours tried to). However, if it's interrupted or there's an issue with the download you might end up with a bad cache which would continue to cause you problems.

Glad you got it sorted, I'm going to mark this as closed. 5:)