Open esebese opened 3 weeks ago
That for reporting this. This line (No suitable kernels found during pdbscan
) suggests that the pdbscanner couldn't find a valid kernel loaded to extract the PDB data to know which symbol table to use. Without being able to identify that, most of the windows plugins won't be able to navigate the kernel and do the tasks they're supposed to do. Would you be able to make that image available to us to investigate why the kernel couldn't be identified?
It's unlikely this affects all windows 11 systems (since we run tests on them) but if there's some commonality amongst yours then it's possible that commonality is causing the problem. I guess you'd need to check the output you provided above for all the other versions, but for the one you've posted above, it does successfully find an Intel layer, but never manages to locate the windows kernel within that (it might be it found the intel layer incorrectly and that would stop it finding the kernel) but that's quite unlikely and would also likely only affect that image.
Describe the bug I have tried to run volatility with different versions (2.5.2 & 2.7.0) for different Windows 11 images. However, I continuously have
Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']
error.I checked similar issues on the repo, tried --cache-path with a custom folder. However, this did not solve the issue.
Even if I extracted the custom symbol tables with pdbconv.py for these kernel versions of these images manually, this could not help me.
Context Volatility Version: 2.5.2 & 2.7.0 Operating System: Debian 12, Debian 10 Python Version: 3.7 & 3.12 Suspected Operating System: Windows 11 Command: vol -vvvvvv --cache-path ./cache -f infected.raw windows.info
Example output
Additional information I had no issues with Windows 10 versions of these images in the past.
The images were acquired with FTK imager and winpmem.
The device is connected to the internet.