search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 461 forks source link

windows.registry.certificates Bugs #1166

Closed wanna-graduate closed 5 months ago

wanna-graduate commented 5 months ago 
python3 vol.py -f /home/xi/volatility3-2.5.0/12/2.vmem windows.registry.certificates                                                                                                                                                                                          
Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished                        
Certificate path        Certificate section     Certificate ID  Certificate name
Traceback (most recent call last):
  File "/home/xi/volatility3-2.5.0/vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/xi/volatility3-2.5.0/volatility3/cli/__init__.py", line 790, in main
    CommandLine().run()
  File "/home/xi/volatility3-2.5.0/volatility3/cli/__init__.py", line 447, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/xi/volatility3-2.5.0/volatility3/cli/text_renderer.py", line 193, in render
    grid.populate(visitor, outfd)
  File "/home/xi/volatility3-2.5.0/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/xi/volatility3-2.5.0/volatility3/plugins/windows/registry/certificates.py", line 86, in _generator
    node_path = hive.get_key(top_key, return_list=True)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/layers/registry.py", line 180, in get_key
    subkeys = node_key[-1].get_subkeys()
              ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/objects/__init__.py", line 968, in __getattr__
    raise AttributeError(
AttributeError: StructType has no attribute: symbol_table_name1!_CELL_DATA.get_subkeys

2.vmem is win7sp1x64. I don't know if there is a problem with the plugin or my use or the version.

eve-mem commented 5 months ago

Thanks for the report. Could you please reply with the output with -vvv before the plugin name.

wanna-graduate commented 5 months ago 
python3 vol.py -f /home/xi/volatility3-2.5.0/12/2.vmem -vvv windows.registry.certificates
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/home/xi/volatility3-2.5.0/volatility3/plugins', '/home/xi/volatility3-2.5.0/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/xi/volatility3-2.5.0/volatility3/symbols', '/home/xi/volatility3-2.5.0/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x187000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x187000
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Certificates.kernel.layer_name.memory_layer
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Certificates
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Certificates.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80003e00000
DEBUG    volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/ECE191A20CFF4465AE46DF96C2263845-1
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder    
INFO     volatility3.framework.automagic: Running automagic: KernelModule

Certificate path        Certificate section     Certificate ID  Certificate name
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_KTMNOTIFICATION_PACKET
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_CPU_QUOTA_APC
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_FLS_CALLBACK_INFO
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
DEBUG    volatility3.plugins.windows.registry.hivelist: Hivelist failed traversing the list forwards at 0xf8a0005d7010, traversing backwards
DEBUG    volatility3.framework.symbols.windows.extensions.registry: Unexpected node type encountered when traversing subkeys: symbol_table_name1!_CM_KEY_INDEX, signature: n
DEBUG    volatility3.framework.symbols.windows.extensions.registry: Unexpected node type encountered when traversing subkeys: symbol_table_name1!_CM_KEY_INDEX, signature: n
DEBUG    volatility3.framework.layers.registry: Unknown Signature  (0x0) at offset 32
Traceback (most recent call last):
  File "/home/xi/volatility3-2.5.0/vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/xi/volatility3-2.5.0/volatility3/cli/__init__.py", line 790, in main
    CommandLine().run()
  File "/home/xi/volatility3-2.5.0/volatility3/cli/__init__.py", line 447, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/xi/volatility3-2.5.0/volatility3/cli/text_renderer.py", line 193, in render
    grid.populate(visitor, outfd)
  File "/home/xi/volatility3-2.5.0/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/xi/volatility3-2.5.0/volatility3/plugins/windows/registry/certificates.py", line 86, in _generator
    node_path = hive.get_key(top_key, return_list=True)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/layers/registry.py", line 180, in get_key
    subkeys = node_key[-1].get_subkeys()
              ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/objects/__init__.py", line 968, in __getattr__
    raise AttributeError(
AttributeError: StructType has no attribute: symbol_table_name1!_CELL_DATA.get_subkeys

This is the report. Thank you for your response. @eve-mem

wanna-graduate commented 5 months ago

I saw "winswaplayers" in the error message above, so I turned off the swap feature in Windows 7 and made 3.vmem. Problem solved, and in the use of "Windows. Registry. Userassist" scenarios similar problem is solved! But I ran into another problem when using Windows.virtmap. This may be the last question. -vvv information is as follows:

python3 vol.py -f /home/xi/volatility3-2.5.0/12/3.vmem -vvv windows.virtmap                                                                                                                                                                                                   1 ⨯
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/home/xi/volatility3-2.5.0/volatility3/plugins', '/home/xi/volatility3-2.5.0/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/xi/volatility3-2.5.0/volatility3/symbols', '/home/xi/volatility3-2.5.0/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x187000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x187000
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name.memory_layer
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80003e0a000
DEBUG    volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/ECE191A20CFF4465AE46DF96C2263845-1
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder    
INFO     volatility3.framework.automagic: Running automagic: KernelModule

DEBUG    volatility3.cli: Traceback (most recent call last):
  File "/home/xi/volatility3-2.5.0/volatility3/cli/__init__.py", line 447, in run
    renderers[args.renderer]().render(constructed.run())
                                      ^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/plugins/windows/virtmap.py", line 160, in run
    self._generator(self.determine_map(module=module)),
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/plugins/windows/virtmap.py", line 101, in determine_map
    raise exceptions.SymbolError(
volatility3.framework.exceptions.SymbolError: Required structures not found

Volatility experienced a symbol-related issue:
symbol_table_name1!None: Required structures not found

        * An invalid symbol table
        * A plugin requesting a bad symbol
        * A plugin requesting a symbol from the wrong table

No further results will be produced

How do I use the virtmap plugin correctly? Does this have to do with ASLR? Do I need to open another issue?

ikelos commented 5 months ago

Do please open another issue, it helps us keep things clear so that people looking for a specific problem don't have to wade through eight others to find it... 5;) The mention of swap layers was just volatility checking whether you've given it any swap layers, so I'm not sure that'll be directly related, other than rebooting the box and getting memory reloaded in the process. It may just be the registry was in an inconsistent state? If you were willing to share the memory image, it might be something for @superponible to look into, but otherwise if you've managed to get an image that gave you results it might not be worth the time...

wanna-graduate commented 5 months ago

Thank you for your reply!I think the first problem has was solved. And I have opened another issue about the second problem.