Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']

[esebese]

Describe the bug I have tried to run volatility with different versions (2.5.2 & 2.7.0) for different Windows 11 images. However, I continuously have Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name'] error.

I checked similar issues on the repo, tried --cache-path with a custom folder. However, this did not solve the issue.

Even if I extracted the custom symbol tables with pdbconv.py for these kernel versions of these images manually, this could not help me.

Context Volatility Version: 2.5.2 & 2.7.0 Operating System: Debian 12, Debian 10 Python Version: 3.7 & 3.12 Suspected Operating System: Windows 11 Command: vol -vvvvvv --cache-path ./cache -f infected.raw windows.info

Example output

Volatility 3 Framework 2.7.0
INFO     volatility3.cli: Volatility plugins path: ['/src/volatility3/volatility3/plugins', '/src/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/src/volatility3/volatility3/symbols', '/src/volatility3/volatility3/framework/symbols']
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/plugins, /src/volatility3/volatility3/framework/plugins
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/automagic
DETAIL 3 volatility3.cli: Cache directory used: ./cache
INFO     volatility3.framework.automagic: Detected a windows category plugin
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /src/volatility3/volatility3/symbols, /src/volatility3/volatility3/framework/symbols
DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
DEBUG    volatility3.framework.layers.resources: Using already cached file at: ./cache/data_81a98629e56d7a2da3fe38b713e6c854720804dd1895975a0eab270e06a9b222c2f0f4105394c340fa710921b47bb897af27b28519e192122d42faac47076159.cache
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ae000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x1ae000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x0 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /src/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 18782093311
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address
DEBUG    volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf800154f6000
DEBUG    volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf8011c400000
DEBUG    volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf802beaf0000
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder      
INFO     volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.symbol_table_name: 

A symbol table requirement was not fulfilled.  Please verify that:
    The associated translation layer requirement was fulfilled
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']

Additional information I had no issues with Windows 10 versions of these images in the past.

The images were acquired with FTK imager and winpmem.

The device is connected to the internet.

[ikelos]

That for reporting this. This line (No suitable kernels found during pdbscan) suggests that the pdbscanner couldn't find a valid kernel loaded to extract the PDB data to know which symbol table to use. Without being able to identify that, most of the windows plugins won't be able to navigate the kernel and do the tasks they're supposed to do. Would you be able to make that image available to us to investigate why the kernel couldn't be identified?

[ikelos]

It's unlikely this affects all windows 11 systems (since we run tests on them) but if there's some commonality amongst yours then it's possible that commonality is causing the problem. I guess you'd need to check the output you provided above for all the other versions, but for the one you've posted above, it does successfully find an Intel layer, but never manages to locate the windows kernel within that (it might be it found the intel layer incorrectly and that would stop it finding the kernel) but that's quite unlikely and would also likely only affect that image.