ikelos
commented
6 hours ago Hiya, it doesn't look like you did anything inherently wrong, it just looks like volatility found a value that it thought was a memory address, which it tried to access but couldn't. As volatility points out, the most common reason for that happening would be memory smear (caused during imaging, where different parts of the memory are updated whilst the image was still being recorded, like trying to take a good photo of a hyperactive dog on an old/slow camera). I'm not too sure what to suggest, but try out simpler plugins (like pslist). If they work fine, then the symbol table is unlikely to be the problem...
Axselll
Hello, i just try vol3 recently and stumble upon weird behavior (at least for me)
Describe the bug I was trying to dump an ELF file using
linux.pagecache.InodePagesthat lead to an error, it tells unable to read a requested pageContext Volatility Version: Vol3/2.11.0 Operating System: Linux Mint (5.15.0-125-generic) Python Version: Python 3.10.12 Suspected Operating System: Linux Mint (5.15.0-125-generic) Command: sudo python3 vol.py -vvv -f /home/quiet/LiME/result/res.mem linux.pagecache.InodePages --find /home/quiet/Documents/Go-dev/ransomware/rware --dump rware
To Reproduce Steps to reproduce the behavior:
Long story short i already know a process named rware (it's a simple ransomware payload that i want to retrieve from the memory dump file) but when i run the command above i got the result (see point no.2).
Volatility was unable to read a requested page: Page error 0xc5a7140de03a in layer layer_name (Page Fault at entry 0x0 in table page directory pointer)
Expected behavior As we know my intention, i was trying to dump a file with
linux.pagecache.InodePagescommandExample output INFO volatility3.cli: Volatility plugins path: ['/home/quiet/volatility3/volatility3/plugins', '/home/quiet/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/quiet/volatility3/volatility3/symbols', '/home/quiet/volatility3/volatility3/framework/symbols'] INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/quiet/volatility3/volatility3/framework/plugins/yarascan.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/netstat.py", line 15, in
from volatility3.plugins.windows import netscan, modules, info, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/netscan.py", line 17, in
from volatility3.plugins.windows import info, poolscanner, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.netstat based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/netstat.py INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svclist.py", line 12, in
from volatility3.plugins.windows import svcscan, pslist
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in
from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svclist based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/svclist.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 11, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.pe_symbols based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/debugregisters.py", line 19, in
import volatility3.plugins.windows.pe_symbols as pe_symbols
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 11, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.debugregisters based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/debugregisters.py INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcdiff.py", line 18, in
from volatility3.plugins.windows import svclist, svcscan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svclist.py", line 12, in
from volatility3.plugins.windows import svcscan, pslist
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in
from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcdiff based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/svcdiff.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/iat.py", line 4, in
import logging, io, pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.iat based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/iat.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/unhooked_system_calls.py", line 16, in
from volatility3.plugins.windows import pslist, pe_symbols
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 11, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.unhooked_system_calls based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/unhooked_system_calls.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/hashdump.py", line 10, in
from Crypto.Cipher import AES, ARC4, DES
ModuleNotFoundError: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/hashdump.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/lsadump.py", line 8, in
from Crypto.Cipher import ARC4, DES, AES
ModuleNotFoundError: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/lsadump.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/consoles.py", line 21, in
from volatility3.plugins.windows import pslist, info, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.consoles based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/consoles.py INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in
from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/cachedump.py", line 8, in
from Crypto.Cipher import ARC4, AES
ModuleNotFoundError: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/cachedump.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/cmdscan.py", line 17, in
from volatility3.plugins.windows import pslist, consoles
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/consoles.py", line 21, in
from volatility3.plugins.windows import pslist, info, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cmdscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/cmdscan.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.verinfo based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/skeleton_key_check.py", line 18, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.skeleton_key_check based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/skeleton_key_check.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/netscan.py", line 17, in
from volatility3.plugins.windows import info, poolscanner, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.netscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/netscan.py INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/mftscan.py", line 13, in
from volatility3.plugins import timeliner, yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/mftscan.py INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/linux/vmayarascan.py", line 10, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.linux.vmayarascan based on file: /home/quiet/volatility3/volatility3/framework/plugins/linux/vmayarascan.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.cachedump, volatility3.plugins.windows.cmdscan, volatility3.plugins.windows.consoles, volatility3.plugins.windows.debugregisters, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.iat, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.netscan, volatility3.plugins.windows.netstat, volatility3.plugins.windows.pe_symbols, volatility3.plugins.windows.skeleton_key_check, volatility3.plugins.windows.svcdiff, volatility3.plugins.windows.svclist, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.unhooked_system_calls, volatility3.plugins.windows.vadyarascan, volatility3.plugins.windows.verinfo, volatility3.plugins.yarascan INFO volatility3.framework.automagic: Detected a linux category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.15.0-125-generic (buildd@lcy02-amd64-040) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 (Ubuntu 5.15.0-125.135-generic 5.15.167)\n\x00' DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats_rsn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!macsec_ops DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mctp_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dsa_8021q_context DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 99000000 virtual 32400000 DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x9be10000 DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name.memory_layer DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name.memory_layer.base_layer DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 12787937695 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.15.0-125-generic (buildd@lcy02-amd64-040) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 (Ubuntu 5.15.0-125.135-generic 5.15.167)\n\x00' DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/quiet/volatility3/volatility3/symbols/generic/linux/Ubuntu_5.15.0-125-generic_5.15.0-125.135_amd64.json.xz INFO volatility3.framework.automagic: Running automagic: KernelModule
PageVAddr PagePAddr MappingAddr Index DumpSafe Flags DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!macsec_ops DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mctp_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context
DEBUG volatility3.cli: Traceback (most recent call last): File "/home/quiet/volatility3/volatility3/cli/init.py", line 502, in run renderer.render(grid) File "/home/quiet/volatility3/volatility3/cli/text_renderer.py", line 230, in render grid.populate(visitor, outfd) File "/home/quiet/volatility3/volatility3/framework/renderers/init.py", line 245, in populate for level, item in self._generator: File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 350, in format_fields_with_headers for level, fields in generator: File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 481, in _generator for inode_in in inodes_iter: File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 272, in get_inodes for file_path, file_dentry in cls._walk_dentry( File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 208, in _walk_dentry yield from cls._walk_dentry(seen_dentries, dentry, parent_dir=file_path) File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 189, in _walk_dentry inode_ptr = dentry.d_inode File "/home/quiet/volatility3/volatility3/framework/objects/init.py", line 961, in getattr member = template(context=self._context, object_info=object_info) File "/home/quiet/volatility3/volatility3/framework/objects/templates.py", line 96, in call return self.vol.object_class( File "/home/quiet/volatility3/volatility3/framework/objects/init.py", line 168, in new value = cls._unmarshall(context, data_format, object_info) File "/home/quiet/volatility3/volatility3/framework/objects/init.py", line 408, in _unmarshall data = context.layers.read(object_info.layer_name, objectinfo.offset, length) File "/home/quiet/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read return self[layer].read(offset, length, pad) File "/home/quiet/volatility3/volatility3/framework/layers/linear.py", line 45, in read for offset, , mapped_offset, mapped_length, layer in self.mapping( File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 295, in mapping for offset, size, mapped_offset, mapped_size, map_layer in self._mapping( File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 351, in _mapping chunk_offset, page_size, layer_name = self._translate(offset) File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 155, in _translate entry, position = self._translate_entry(offset) File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 198, in _translate_entry raise exceptions.PagedInvalidAddressException( volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page directory pointer
Volatility was unable to read a requested page: Page error 0xc5a7140de03a in layer layer_name (Page Fault at entry 0x0 in table page directory pointer) -Memory smear during acquisition (try re-acquiring if possible) -An intentionally invalid page lookup (operating system protection) -A bug in the plugin/volatility3 (re-run with -vvv and file a bug)
No further results will be produced
Additional information I am using the symbol table that i got on github- this
I hope it's not about the symbol table :) I'm new to vol3 so i apoligize in advance if this is not a bug but an error from my end. Thanks in advance