Support for process explorer/procdump dmp files

[David-BMS]

Hi

Describe the bug Trying to run volatility3 commands for dmp file created by sysinternals process explorer (full dump) for a specific process. When running any command on that memdump I get this error

**Unsatisfied requirement plugins.Info.primary: Memory layer for the kernel Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled. Please verify that: You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

A translation layer requirement was not fulfilled. Please verify that: A file was provided to create this layer (by -f, --single-location or by config) The file exists and is readable The necessary symbols are present and identified by volatility Unable to validate the plugin requirements: ['plugins.Info.primary', 'plugins.Info.nt_symbols']**

The latest windows.zip symbols have been downloaded and placed under /volatility3/volatility/symbols/

When running commands against full memdumps such as seen here https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples Volatility works fine

So at this point i'm not sure if the issue is that volatility doesn't support memdumps provided by processExplorer/Procdump or I need to do something else with regards to the symbols. If this is a matter of memdump type not supported perhaps a clearer error message will do the trick.

Could be related to this? https://github.com/volatilityfoundation/volatility3/issues/155

Context Volatility Version: Volatility 3 Framework 1.2.1-beta.1 Operating System: Windows 10 using WSL with Ubuntu 20.04.1 LTS Python Version: 3.8.2

10x in advance!!!

[ikelos]

Hiya,

So my guess would be that it is related to the dmp file format. I would guess that process explorer, normally running in userland, is likely creating a full dump of a process, rather than a full kernel dump, which is what volatility expects. The automagic isn't finding a standard intel mapping (hence the first line Unsatisfied requirement plugins.Info.primary: Memory layer for the kernel). That, in turn, will prevent it from finding any appropriate symbols (the second line Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols). So unfortunately this doesn't say much about whether those symbols are working or not, it's that the memory image isn't yet supported (and depending on what process explorer stores, it may not be possible to do so).

As to whether this is related to #155, it's not, that's for Mac OS X symbols, so has no influence on a windows 10 issue. 5:)

Hope that helps?

[David-BMS]

Thank you, much appreciated! So from the title change I take it there may a future enhancement for for supporting process dumps, that will be very helpful

[ikelos]

Unfortunately we'd need to investigate to see if that would even be possible. Most plugins at the moment currently expect a full kernel dump, and so are unlikely operate successfully on just a process dump, but I don't want to rule the possibility out. The hope was that volatility 3 could eventually support application level analysis, but there's a lot of machinery that would need to go in there first (such as support for process layers as requirements for plugins, etc). It'd be a very complex addition if it's even possible at all, so please don't have any expectations on it happening with, even a year or so, but as I say, I don't like close off an idea until it's been proven unworkable...

[David-BMS]

Got it thanks, I will stay tuned for updates.