search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 463 forks source link

An invalid symbol table when using windows.virtmap #1179

Closed wanna-graduate closed 5 months ago

wanna-graduate commented 5 months ago

Describe the bug I ran into a problem when using Windows.virtmap. There is no valid output. How do I use the virtmap plugin correctly? Does this have to do with ASLR? If you need more information or the vmem file, please tell me and leave your email.

Context Volatility Version: 2.5.0 Operating System: ubuntu 22.04(linux 5.15.74)(my host OS) Python Version: 3.10.12 Suspected Operating System: win7sp1x64(3.vmem) Command: python3 vol.py -f /home/xi/volatility3-2.5.0/12/3.vmem -vvv windows.virtmap

Example output

python3 vol.py -f /home/xi/volatility3-2.5.0/12/3.vmem -vvv windows.virtmap                                                                                                                                                                                                   1 ⨯
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/home/xi/volatility3-2.5.0/volatility3/plugins', '/home/xi/volatility3-2.5.0/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/xi/volatility3-2.5.0/volatility3/symbols', '/home/xi/volatility3-2.5.0/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x187000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x187000
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VirtMap.kernel.layer_name.memory_layer
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VirtMap
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VirtMap.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80003e0a000
DEBUG    volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/ECE191A20CFF4465AE46DF96C2263845-1
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder    
INFO     volatility3.framework.automagic: Running automagic: KernelModule

DEBUG    volatility3.cli: Traceback (most recent call last):
  File "/home/xi/volatility3-2.5.0/volatility3/cli/__init__.py", line 447, in run
    renderers[args.renderer]().render(constructed.run())
                                      ^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/plugins/windows/virtmap.py", line 160, in run
    self._generator(self.determine_map(module=module)),
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/xi/volatility3-2.5.0/volatility3/framework/plugins/windows/virtmap.py", line 101, in determine_map
    raise exceptions.SymbolError(
volatility3.framework.exceptions.SymbolError: Required structures not found

Volatility experienced a symbol-related issue:
symbol_table_name1!None: Required structures not found

        * An invalid symbol table
        * A plugin requesting a bad symbol
        * A plugin requesting a symbol from the wrong table

No further results will be produced
ikelos commented 5 months ago

So the exact error is that certain symbols that the plugin needs to be able to be found, can't be found. The error message isn't as helpful as it could be (because it doesn't tell you which symbol), but it could be one of MiVisibleState, SystemVaRegions, SystemVaType. This is because Windows changed the way that it recorded information between various different versions, and we use the symbols in the symbol table to figure that out. If they're not there, then it likely means that version of Window isn't supported by the virtmap plugin unfortunately.

wanna-graduate commented 5 months ago

@ikelos Thank you very much! It turns out that what you said is right, it is indeed a version support issue. I tried to analyze win7sp1x86 using the virtmap plugin with success.