search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Windows PsList: TypeError: unsupported operand type(s) for +=: 'int' and 'NoneType' #524

Closed Wenzel closed 3 years ago

Wenzel commented 3 years ago

Describe the bug While running the windows.pslist.PsList plugin on a windows XP memory dump, a TypeError has been raised:

Context Volatility Version: 1.0.1 Operating System: Ubuntu 20.04 Python Version: 3.8.10 Suspected Operating System: windows XP Command: ~/Projets/volatility3/vol.py -f winxp.dump windows.pslist.PsList

To Reproduce Steps to reproduce the behavior:

  1. dump VM memory with Libvmi's vmi-dump-memory example code. The memory dump can be provided on demand.
  2. ~/Projets/volatility3/vol.py -f winxp.dump windows.pslist.PsList
  3. See the error below

Expected behavior Volatility should have displayed the process list

Screenshots Capture d’écran de 2021-07-05 17-34-39

Traceback:

Traceback (most recent call last):
  File "/home/mtarral/Projets/volatility3/vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/mtarral/Projets/volatility3/volatility3/cli/__init__.py", line 618, in main
    CommandLine().run()
  File "/home/mtarral/Projets/volatility3/volatility3/cli/__init__.py", line 326, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/mtarral/Projets/volatility3/volatility3/cli/text_renderer.py", line 178, in render
    grid.populate(visitor, outfd)
  File "/home/mtarral/Projets/volatility3/volatility3/framework/renderers/__init__.py", line 211, in populate
    for (level, item) in self._generator:
  File "/home/mtarral/Projets/volatility3/volatility3/framework/plugins/windows/pslist.py", line 186, in _generator
    for proc in self.list_processes(self.context,
  File "/home/mtarral/Projets/volatility3/volatility3/framework/plugins/windows/pslist.py", line 155, in list_processes
    list_entry = ntkrnlmp.object(object_type = "_LIST_ENTRY", offset = ps_aph_offset)
  File "/home/mtarral/Projets/volatility3/volatility3/framework/contexts/__init__.py", line 195, in object
    offset += self._offset
TypeError: unsupported operand type(s) for +=: 'int' and 'NoneType'

Thanks !

Wenzel commented 3 years ago

I just tested with volatility2, and it can display the process list:

$ ./venv2/bin/vol.py -f winxp.dump --profile WinXPSP3x86 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x861c69c8 System                    4      0     51      271 ------      0                                                              
0x85f41020 smss.exe                348      4      3       17 ------      0 2021-07-05 22:07:17 UTC+0000                                 
0x860d2020 csrss.exe               404    348      9      298      0      0 2021-07-05 22:07:17 UTC+0000                                 
0x85fff1c8 winlogon.exe            428    348     23      374      0      0 2021-07-05 22:07:18 UTC+0000                                 
0x860b3af8 services.exe            472    428     22      293      0      0 2021-07-05 22:07:18 UTC+0000                                 
0x85eff978 lsass.exe               484    428     26      366      0      0 2021-07-05 22:07:18 UTC+0000                                 
0x85f0b2e0 svchost.exe             632    472      6      137      0      0 2021-07-05 22:07:18 UTC+0000                                 
0x85f1fa70 svchost.exe             700    472     10      227      0      0 2021-07-05 22:07:19 UTC+0000                                 
0x85f18ca8 svchost.exe             736    472     63      964      0      0 2021-07-05 22:07:19 UTC+0000                                 
0x85e607a8 svchost.exe             796    472      4       56      0      0 2021-07-05 22:07:19 UTC+0000                                 
0x85f06558 svchost.exe             820    472      4      103      0      0 2021-07-05 22:07:25 UTC+0000                                 
0x860ba700 userinit.exe           1032    428      2       44      0      0 2021-07-05 22:07:25 UTC+0000                                 
0x85e311d8 explorer.exe           1068   1032     13      253      0      0 2021-07-05 22:07:26 UTC+0000                                 
0x85e2d6f0 spoolsv.exe            1172    472      6       52      0      0 2021-07-05 22:07:26 UTC+0000                                 
0x85e1dd08 svchost.exe            1248    472      5      105      0      0 2021-07-05 22:07:26 UTC+0000                                 
0x85e15760 svchost.exe            1336    472      9       92      0      0 2021-07-05 22:07:27 UTC+0000                                 
0x85de5020 svchost.exe            1500    472      8      161      0      0 2021-07-05 22:07:27 UTC+0000                                 
0x85f3e7d8 wuauclt.exe            1564    736      8      133      0      0 2021-07-05 22:07:27 UTC+0000
Wenzel commented 3 years ago

The kernel virtual offset returned in kvo is None here, and the None value is not handled https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/plugins/windows/pslist.py#L151

ikelos commented 3 years ago

Thanks for the additional debugging. It looks like this should be fulfilled by the pdbscan, and that we ought to be able to depend on it being set. Could you provide the output of running the plugin with -vvvvv please (as an attachment would be fine, so it doesn't take up so much space). Thanks! 5:)

Wenzel commented 3 years ago

Hey ikelos, thanks for the quick reply, here is the requested log output from volatility: command I used: ~/Projets/volatility3/vol.py -f winxp.dump -vvvvv windows.pslist.PsList 2>&1 | tee output.log output.log

ikelos commented 3 years ago

Ok, so I think I've got it. For some reason we seem to get a valid kernel (which fulfills the requirement) but an automagic exception happens (non-fatal) before the kernel_virtual_offset can be saved. Since they're optional (so the intel layer can be used just for mapping without necessarily having a kernel) it doesn't throw any errors until it's used. I've now made it throw an exception when the module gets constructed if it's given a bad offset, and I've changed the ordering so the offset always gets stored, then any subrequirements attempt to be filled. It would be interesting to find out what's throwing the exception (and why it wasn't listed in the output with that many vs, as exceptions are supposed to do), but my hope is that this resolves the problem enough that it'll be easier to investigate if it happens again and it should happen less often... 5:)

Wenzel commented 3 years ago

Hi @ikelos, sorry for the delay, I'm giving you an update on this isssue. When I test your fix, I get the following output:

Volatility 3 Framework 1.1.1
WARNING  volatility3.framework.plugins: Automagic exception occurred: TypeError: 'NoneType' object cannot be interpreted as an integer

Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']

Also note that this only happens with Windows XP. Using Windows 10, volatility works fine.

ikelos commented 3 years ago

Hiya @Wenzel , thanks for letting me know. The symbol table issue is alright, but the TypeError: 'NoneType' bit is a little bit unusual. Could you run it again but with -vvvvv please?

Wenzel commented 3 years ago

@ikelos sure, here you go !

INFO     volatility3.cli: Volatility plugins path: ['/home/mtarral/Projets/libmicrovmi/python/microvmi/volatility', '/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/plugins', '/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/symbols', '/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/symbols']
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/microvmi/volatility, /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/plugins, /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/plugins
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: yarascan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows/cachedump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: windows/callbacks
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows/hashdump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows/vadyarascan
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: windows/svcscan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows/lsadump
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic
Level 7  volatility3.cli: Cache directory used: /home/mtarral/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a windows category plugin
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, VMIHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x620000
Level 8  volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']

Progress:  100.00       Stacking attempts finished
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: WintelHelper
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure

Progress:    0.00       Scanning memory_layer using BytesScanner

Progress:    0.52       Scanning memory_layer using BytesScanner

Progress:    1.04       Scanning memory_layer using BytesScanner

Progress:    1.56       Scanning memory_layer using BytesScanner

Progress:    2.08       Scanning memory_layer using BytesScanner

Progress:    2.60       Scanning memory_layer using BytesScanner

Progress:    3.13       Scanning memory_layer using BytesScanner

Progress:    3.65       Scanning memory_layer using BytesScanner

Progress:    4.17       Scanning memory_layer using BytesScanner

Progress:    4.69       Scanning memory_layer using BytesScanner

Progress:    5.21       Scanning memory_layer using BytesScanner

Progress:    5.73       Scanning memory_layer using BytesScanner

Progress:    6.25       Scanning memory_layer using BytesScanner

Progress:    6.77       Scanning memory_layer using BytesScanner

Progress:    7.29       Scanning memory_layer using BytesScanner

Progress:    7.81       Scanning memory_layer using BytesScanner

Progress:    8.33       Scanning memory_layer using BytesScanner

Progress:    8.85       Scanning memory_layer using BytesScanner

Progress:    9.38       Scanning memory_layer using BytesScanner

Progress:    9.90       Scanning memory_layer using BytesScanner

Progress:   10.42       Scanning memory_layer using BytesScanner

Progress:   10.94       Scanning memory_layer using BytesScanner

Progress:   11.46       Scanning memory_layer using BytesScanner

Progress:   11.98       Scanning memory_layer using BytesScanner

Progress:   12.50       Scanning memory_layer using BytesScanner

Progress:   13.02       Scanning memory_layer using BytesScanner

Progress:   13.54       Scanning memory_layer using BytesScanner

Progress:   14.06       Scanning memory_layer using BytesScanner

Progress:   14.58       Scanning memory_layer using BytesScanner

Progress:   15.10       Scanning memory_layer using BytesScanner

Progress:   15.63       Scanning memory_layer using BytesScanner

Progress:   16.15       Scanning memory_layer using BytesScanner

Progress:   16.67       Scanning memory_layer using BytesScanner

Progress:   17.19       Scanning memory_layer using BytesScanner

Progress:   17.71       Scanning memory_layer using BytesScanner

Progress:   18.23       Scanning memory_layer using BytesScanner

Progress:   18.75       Scanning memory_layer using BytesScanner

Progress:   19.27       Scanning memory_layer using BytesScanner

Progress:   19.79       Scanning memory_layer using BytesScanner

Progress:   20.31       Scanning memory_layer using BytesScanner

Progress:   20.83       Scanning memory_layer using BytesScanner

Progress:   21.35       Scanning memory_layer using BytesScanner

Progress:   21.88       Scanning memory_layer using BytesScanner

Progress:   22.40       Scanning memory_layer using BytesScanner

Progress:   22.92       Scanning memory_layer using BytesScanner

Progress:   23.44       Scanning memory_layer using BytesScanner

Progress:   23.96       Scanning memory_layer using BytesScanner

Progress:   24.48       Scanning memory_layer using BytesScanner

Progress:   25.00       Scanning memory_layer using BytesScanner

Progress:   25.52       Scanning memory_layer using BytesScanner

Progress:   26.04       Scanning memory_layer using BytesScanner

Progress:   26.56       Scanning memory_layer using BytesScanner

Progress:   27.08       Scanning memory_layer using BytesScanner

Progress:   27.60       Scanning memory_layer using BytesScanner

Progress:   28.13       Scanning memory_layer using BytesScanner

Progress:   28.65       Scanning memory_layer using BytesScanner

Progress:   29.17       Scanning memory_layer using BytesScanner

Progress:   29.69       Scanning memory_layer using BytesScanner

Progress:   30.21       Scanning memory_layer using BytesScanner

Progress:   30.73       Scanning memory_layer using BytesScanner

Progress:   31.25       Scanning memory_layer using BytesScanner

Progress:   31.77       Scanning memory_layer using BytesScanner

Progress:   32.29       Scanning memory_layer using BytesScanner

Progress:   32.81       Scanning memory_layer using BytesScanner

Progress:   33.33       Scanning memory_layer using BytesScanner

Progress:   33.85       Scanning memory_layer using BytesScanner

Progress:   34.38       Scanning memory_layer using BytesScanner

Progress:   34.90       Scanning memory_layer using BytesScanner

Progress:   35.42       Scanning memory_layer using BytesScanner

Progress:   35.94       Scanning memory_layer using BytesScanner

Progress:   36.46       Scanning memory_layer using BytesScanner

Progress:   36.98       Scanning memory_layer using BytesScanner

Progress:   37.50       Scanning memory_layer using BytesScanner

Progress:   38.02       Scanning memory_layer using BytesScanner

Progress:   38.54       Scanning memory_layer using BytesScanner

Progress:   39.06       Scanning memory_layer using BytesScanner

Progress:   39.58       Scanning memory_layer using BytesScanner

Progress:   40.10       Scanning memory_layer using BytesScanner

Progress:   40.63       Scanning memory_layer using BytesScanner

Progress:   41.15       Scanning memory_layer using BytesScanner

Progress:   41.67       Scanning memory_layer using BytesScanner

Progress:   42.19       Scanning memory_layer using BytesScanner

Progress:   42.71       Scanning memory_layer using BytesScanner

Progress:   43.23       Scanning memory_layer using BytesScanner

Progress:   43.75       Scanning memory_layer using BytesScanner

Progress:   44.27       Scanning memory_layer using BytesScanner

Progress:   44.79       Scanning memory_layer using BytesScanner

Progress:   45.31       Scanning memory_layer using BytesScanner

Progress:   45.83       Scanning memory_layer using BytesScanner

Progress:   46.35       Scanning memory_layer using BytesScanner

Progress:   46.88       Scanning memory_layer using BytesScanner

Progress:   47.40       Scanning memory_layer using BytesScanner

Progress:   47.92       Scanning memory_layer using BytesScanner

Progress:   48.44       Scanning memory_layer using BytesScanner

Progress:   48.96       Scanning memory_layer using BytesScanner

Progress:   49.48       Scanning memory_layer using BytesScanner

Progress:   50.00       Scanning memory_layer using BytesScanner

Progress:   50.52       Scanning memory_layer using BytesScanner

Progress:   51.04       Scanning memory_layer using BytesScanner

Progress:   51.56       Scanning memory_layer using BytesScanner

Progress:   52.08       Scanning memory_layer using BytesScanner

Progress:   52.60       Scanning memory_layer using BytesScanner

Progress:   53.13       Scanning memory_layer using BytesScanner

Progress:   53.65       Scanning memory_layer using BytesScanner

Progress:   54.17       Scanning memory_layer using BytesScanner

Progress:   54.69       Scanning memory_layer using BytesScanner

Progress:   55.21       Scanning memory_layer using BytesScanner

Progress:   55.73       Scanning memory_layer using BytesScanner

Progress:   56.25       Scanning memory_layer using BytesScanner

Progress:   56.77       Scanning memory_layer using BytesScanner

Progress:   57.29       Scanning memory_layer using BytesScanner

Progress:   57.81       Scanning memory_layer using BytesScanner

Progress:   58.33       Scanning memory_layer using BytesScanner

Progress:   58.85       Scanning memory_layer using BytesScanner

Progress:   59.38       Scanning memory_layer using BytesScanner

Progress:   59.90       Scanning memory_layer using BytesScanner

Progress:   60.42       Scanning memory_layer using BytesScanner

Progress:   60.94       Scanning memory_layer using BytesScanner

Progress:   61.46       Scanning memory_layer using BytesScanner

Progress:   61.98       Scanning memory_layer using BytesScanner

Progress:   62.50       Scanning memory_layer using BytesScanner

Progress:   63.02       Scanning memory_layer using BytesScanner

Progress:   63.54       Scanning memory_layer using BytesScanner

Progress:   64.06       Scanning memory_layer using BytesScanner

Progress:   64.58       Scanning memory_layer using BytesScanner

Progress:   65.10       Scanning memory_layer using BytesScanner

Progress:   65.63       Scanning memory_layer using BytesScanner

Progress:   66.15       Scanning memory_layer using BytesScanner

Progress:   66.67       Scanning memory_layer using BytesScanner

Progress:   67.19       Scanning memory_layer using BytesScanner

Progress:   67.71       Scanning memory_layer using BytesScanner

Progress:   68.23       Scanning memory_layer using BytesScanner

Progress:   68.75       Scanning memory_layer using BytesScanner

Progress:   69.27       Scanning memory_layer using BytesScanner

Progress:   69.79       Scanning memory_layer using BytesScanner

Progress:   70.31       Scanning memory_layer using BytesScanner

Progress:   70.83       Scanning memory_layer using BytesScanner

Progress:   71.35       Scanning memory_layer using BytesScanner

Progress:   71.88       Scanning memory_layer using BytesScanner

Progress:   72.40       Scanning memory_layer using BytesScanner

Progress:   72.92       Scanning memory_layer using BytesScanner

Progress:   73.44       Scanning memory_layer using BytesScanner

Progress:   73.96       Scanning memory_layer using BytesScanner

Progress:   74.48       Scanning memory_layer using BytesScanner

Progress:   75.00       Scanning memory_layer using BytesScanner

Progress:   75.52       Scanning memory_layer using BytesScanner

Progress:   76.04       Scanning memory_layer using BytesScanner

Progress:   76.56       Scanning memory_layer using BytesScanner

Progress:   77.08       Scanning memory_layer using BytesScanner

Progress:   77.60       Scanning memory_layer using BytesScanner

Progress:   78.13       Scanning memory_layer using BytesScanner

Progress:   78.65       Scanning memory_layer using BytesScanner

Progress:   79.17       Scanning memory_layer using BytesScanner

Progress:   79.69       Scanning memory_layer using BytesScanner

Progress:   80.21       Scanning memory_layer using BytesScanner

Progress:   80.73       Scanning memory_layer using BytesScanner

Progress:   81.25       Scanning memory_layer using BytesScanner

Progress:   81.77       Scanning memory_layer using BytesScanner

Progress:   82.29       Scanning memory_layer using BytesScanner

Progress:   82.81       Scanning memory_layer using BytesScanner

Progress:   83.33       Scanning memory_layer using BytesScanner

Progress:   83.85       Scanning memory_layer using BytesScanner

Progress:   84.38       Scanning memory_layer using BytesScanner

Progress:   84.90       Scanning memory_layer using BytesScanner

Progress:   85.42       Scanning memory_layer using BytesScanner

Progress:   85.94       Scanning memory_layer using BytesScanner

Progress:   86.46       Scanning memory_layer using BytesScanner

Progress:   86.98       Scanning memory_layer using BytesScanner

Progress:   87.50       Scanning memory_layer using BytesScanner

Progress:   88.02       Scanning memory_layer using BytesScanner

Progress:   88.54       Scanning memory_layer using BytesScanner

Progress:   89.06       Scanning memory_layer using BytesScanner

Progress:   89.58       Scanning memory_layer using BytesScanner

Progress:   90.10       Scanning memory_layer using BytesScanner

Progress:   90.63       Scanning memory_layer using BytesScanner

Progress:   91.15       Scanning memory_layer using BytesScanner

Progress:   91.67       Scanning memory_layer using BytesScanner

Progress:   92.19       Scanning memory_layer using BytesScanner

Progress:   92.71       Scanning memory_layer using BytesScanner

Progress:   93.23       Scanning memory_layer using BytesScanner

Progress:   93.75       Scanning memory_layer using BytesScanner

Progress:   94.27       Scanning memory_layer using BytesScanner

Progress:   94.79       Scanning memory_layer using BytesScanner

Progress:   95.31       Scanning memory_layer using BytesScanner

Progress:   95.83       Scanning memory_layer using BytesScanner

Progress:   96.35       Scanning memory_layer using BytesScanner

Progress:   96.88       Scanning memory_layer using BytesScanner

Progress:   97.40       Scanning memory_layer using BytesScanner

Progress:   97.92       Scanning memory_layer using BytesScanner

Progress:   98.44       Scanning memory_layer using BytesScanner

Progress:   98.96       Scanning memory_layer using BytesScanner

Progress:   99.48       Scanning memory_layer using BytesScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure

Progress:    0.00       Scanning memory_layer using BytesScanner

Progress:    0.52       Scanning memory_layer using BytesScanner

Progress:    1.04       Scanning memory_layer using BytesScanner

Progress:    1.56       Scanning memory_layer using BytesScanner

Progress:    2.08       Scanning memory_layer using BytesScanner

Progress:    2.60       Scanning memory_layer using BytesScanner

Progress:    3.13       Scanning memory_layer using BytesScanner

Progress:    3.65       Scanning memory_layer using BytesScanner

Progress:    4.17       Scanning memory_layer using BytesScanner

Progress:    4.69       Scanning memory_layer using BytesScanner

Progress:    5.21       Scanning memory_layer using BytesScanner

Progress:    5.73       Scanning memory_layer using BytesScanner

Progress:    6.25       Scanning memory_layer using BytesScanner

Progress:    6.77       Scanning memory_layer using BytesScanner

Progress:    7.29       Scanning memory_layer using BytesScanner

Progress:    7.81       Scanning memory_layer using BytesScanner

Progress:    8.33       Scanning memory_layer using BytesScanner

Progress:    8.85       Scanning memory_layer using BytesScanner

Progress:    9.38       Scanning memory_layer using BytesScanner

Progress:    9.90       Scanning memory_layer using BytesScanner

Progress:   10.42       Scanning memory_layer using BytesScanner

Progress:   10.94       Scanning memory_layer using BytesScanner

Progress:   11.46       Scanning memory_layer using BytesScanner

Progress:   11.98       Scanning memory_layer using BytesScanner

Progress:   12.50       Scanning memory_layer using BytesScanner

Progress:   13.02       Scanning memory_layer using BytesScanner

Progress:   13.54       Scanning memory_layer using BytesScanner

Progress:   14.06       Scanning memory_layer using BytesScanner

Progress:   14.58       Scanning memory_layer using BytesScanner

Progress:   15.10       Scanning memory_layer using BytesScanner

Progress:   15.63       Scanning memory_layer using BytesScanner

Progress:   16.15       Scanning memory_layer using BytesScanner

Progress:   16.67       Scanning memory_layer using BytesScanner

Progress:   17.19       Scanning memory_layer using BytesScanner

Progress:   17.71       Scanning memory_layer using BytesScanner

Progress:   18.23       Scanning memory_layer using BytesScanner

Progress:   18.75       Scanning memory_layer using BytesScanner

Progress:   19.27       Scanning memory_layer using BytesScanner

Progress:   19.79       Scanning memory_layer using BytesScanner

Progress:   20.31       Scanning memory_layer using BytesScanner

Progress:   20.83       Scanning memory_layer using BytesScanner

Progress:   21.35       Scanning memory_layer using BytesScanner

Progress:   21.88       Scanning memory_layer using BytesScanner

Progress:   22.40       Scanning memory_layer using BytesScanner

Progress:   22.92       Scanning memory_layer using BytesScanner

Progress:   23.44       Scanning memory_layer using BytesScanner

Progress:   23.96       Scanning memory_layer using BytesScanner

Progress:   24.48       Scanning memory_layer using BytesScanner

Progress:   25.00       Scanning memory_layer using BytesScanner

Progress:   25.52       Scanning memory_layer using BytesScanner

Progress:   26.04       Scanning memory_layer using BytesScanner

Progress:   26.56       Scanning memory_layer using BytesScanner

Progress:   27.08       Scanning memory_layer using BytesScanner

Progress:   27.60       Scanning memory_layer using BytesScanner

Progress:   28.13       Scanning memory_layer using BytesScanner

Progress:   28.65       Scanning memory_layer using BytesScanner

Progress:   29.17       Scanning memory_layer using BytesScanner

Progress:   29.69       Scanning memory_layer using BytesScanner

Progress:   30.21       Scanning memory_layer using BytesScanner

Progress:   30.73       Scanning memory_layer using BytesScanner

Progress:   31.25       Scanning memory_layer using BytesScanner

Progress:   31.77       Scanning memory_layer using BytesScanner

Progress:   32.29       Scanning memory_layer using BytesScanner

Progress:   32.81       Scanning memory_layer using BytesScanner

Progress:   33.33       Scanning memory_layer using BytesScanner

Progress:   33.85       Scanning memory_layer using BytesScanner

Progress:   34.38       Scanning memory_layer using BytesScanner

Progress:   34.90       Scanning memory_layer using BytesScanner

Progress:   35.42       Scanning memory_layer using BytesScanner

Progress:   35.94       Scanning memory_layer using BytesScanner

Progress:   36.46       Scanning memory_layer using BytesScanner

Progress:   36.98       Scanning memory_layer using BytesScanner

Progress:   37.50       Scanning memory_layer using BytesScanner

Progress:   38.02       Scanning memory_layer using BytesScanner

Progress:   38.54       Scanning memory_layer using BytesScanner

Progress:   39.06       Scanning memory_layer using BytesScanner

Progress:   39.58       Scanning memory_layer using BytesScanner

Progress:   40.10       Scanning memory_layer using BytesScanner

Progress:   40.63       Scanning memory_layer using BytesScanner

Progress:   41.15       Scanning memory_layer using BytesScanner

Progress:   41.67       Scanning memory_layer using BytesScanner

Progress:   42.19       Scanning memory_layer using BytesScanner

Progress:   42.71       Scanning memory_layer using BytesScanner

Progress:   43.23       Scanning memory_layer using BytesScanner

Progress:   43.75       Scanning memory_layer using BytesScanner

Progress:   44.27       Scanning memory_layer using BytesScanner

Progress:   44.79       Scanning memory_layer using BytesScanner

Progress:   45.31       Scanning memory_layer using BytesScanner

Progress:   45.83       Scanning memory_layer using BytesScanner

Progress:   46.35       Scanning memory_layer using BytesScanner

Progress:   46.88       Scanning memory_layer using BytesScanner

Progress:   47.40       Scanning memory_layer using BytesScanner

Progress:   47.92       Scanning memory_layer using BytesScanner

Progress:   48.44       Scanning memory_layer using BytesScanner

Progress:   48.96       Scanning memory_layer using BytesScanner

Progress:   49.48       Scanning memory_layer using BytesScanner

Progress:   50.00       Scanning memory_layer using BytesScanner

Progress:   50.52       Scanning memory_layer using BytesScanner

Progress:   51.04       Scanning memory_layer using BytesScanner

Progress:   51.56       Scanning memory_layer using BytesScanner

Progress:   52.08       Scanning memory_layer using BytesScanner

Progress:   52.60       Scanning memory_layer using BytesScanner

Progress:   53.13       Scanning memory_layer using BytesScanner

Progress:   53.65       Scanning memory_layer using BytesScanner

Progress:   54.17       Scanning memory_layer using BytesScanner

Progress:   54.69       Scanning memory_layer using BytesScanner

Progress:   55.21       Scanning memory_layer using BytesScanner

Progress:   55.73       Scanning memory_layer using BytesScanner

Progress:   56.25       Scanning memory_layer using BytesScanner

Progress:   56.77       Scanning memory_layer using BytesScanner

Progress:   57.29       Scanning memory_layer using BytesScanner

Progress:   57.81       Scanning memory_layer using BytesScanner

Progress:   58.33       Scanning memory_layer using BytesScanner

Progress:   58.85       Scanning memory_layer using BytesScanner

Progress:   59.38       Scanning memory_layer using BytesScanner

Progress:   59.90       Scanning memory_layer using BytesScanner

Progress:   60.42       Scanning memory_layer using BytesScanner

Progress:   60.94       Scanning memory_layer using BytesScanner

Progress:   61.46       Scanning memory_layer using BytesScanner

Progress:   61.98       Scanning memory_layer using BytesScanner

Progress:   62.50       Scanning memory_layer using BytesScanner

Progress:   63.02       Scanning memory_layer using BytesScanner

Progress:   63.54       Scanning memory_layer using BytesScanner

Progress:   64.06       Scanning memory_layer using BytesScanner

Progress:   64.58       Scanning memory_layer using BytesScanner

Progress:   65.10       Scanning memory_layer using BytesScanner

Progress:   65.63       Scanning memory_layer using BytesScanner

Progress:   66.15       Scanning memory_layer using BytesScanner

Progress:   66.67       Scanning memory_layer using BytesScanner

Progress:   67.19       Scanning memory_layer using BytesScanner

Progress:   67.71       Scanning memory_layer using BytesScanner

Progress:   68.23       Scanning memory_layer using BytesScanner

Progress:   68.75       Scanning memory_layer using BytesScanner

Progress:   69.27       Scanning memory_layer using BytesScanner

Progress:   69.79       Scanning memory_layer using BytesScanner

Progress:   70.31       Scanning memory_layer using BytesScanner

Progress:   70.83       Scanning memory_layer using BytesScanner

Progress:   71.35       Scanning memory_layer using BytesScanner

Progress:   71.88       Scanning memory_layer using BytesScanner

Progress:   72.40       Scanning memory_layer using BytesScanner

Progress:   72.92       Scanning memory_layer using BytesScanner

Progress:   73.44       Scanning memory_layer using BytesScanner

Progress:   73.96       Scanning memory_layer using BytesScanner

Progress:   74.48       Scanning memory_layer using BytesScanner

Progress:   75.00       Scanning memory_layer using BytesScanner

Progress:   75.52       Scanning memory_layer using BytesScanner

Progress:   76.04       Scanning memory_layer using BytesScanner

Progress:   76.56       Scanning memory_layer using BytesScanner

Progress:   77.08       Scanning memory_layer using BytesScanner

Progress:   77.60       Scanning memory_layer using BytesScanner

Progress:   78.13       Scanning memory_layer using BytesScanner

Progress:   78.65       Scanning memory_layer using BytesScanner

Progress:   79.17       Scanning memory_layer using BytesScanner

Progress:   79.69       Scanning memory_layer using BytesScanner

Progress:   80.21       Scanning memory_layer using BytesScanner

Progress:   80.73       Scanning memory_layer using BytesScanner

Progress:   81.25       Scanning memory_layer using BytesScanner

Progress:   81.77       Scanning memory_layer using BytesScanner

Progress:   82.29       Scanning memory_layer using BytesScanner

Progress:   82.81       Scanning memory_layer using BytesScanner

Progress:   83.33       Scanning memory_layer using BytesScanner

Progress:   83.85       Scanning memory_layer using BytesScanner

Progress:   84.38       Scanning memory_layer using BytesScanner

Progress:   84.90       Scanning memory_layer using BytesScanner

Progress:   85.42       Scanning memory_layer using BytesScanner

Progress:   85.94       Scanning memory_layer using BytesScanner

Progress:   86.46       Scanning memory_layer using BytesScanner

Progress:   86.98       Scanning memory_layer using BytesScanner

Progress:   87.50       Scanning memory_layer using BytesScanner

Progress:   88.02       Scanning memory_layer using BytesScanner

Progress:   88.54       Scanning memory_layer using BytesScanner

Progress:   89.06       Scanning memory_layer using BytesScanner

Progress:   89.58       Scanning memory_layer using BytesScanner

Progress:   90.10       Scanning memory_layer using BytesScanner

Progress:   90.63       Scanning memory_layer using BytesScanner

Progress:   91.15       Scanning memory_layer using BytesScanner

Progress:   91.67       Scanning memory_layer using BytesScanner

Progress:   92.19       Scanning memory_layer using BytesScanner

Progress:   92.71       Scanning memory_layer using BytesScanner

Progress:   93.23       Scanning memory_layer using BytesScanner

Progress:   93.75       Scanning memory_layer using BytesScanner

Progress:   94.27       Scanning memory_layer using BytesScanner

Progress:   94.79       Scanning memory_layer using BytesScanner

Progress:   95.31       Scanning memory_layer using BytesScanner

Progress:   95.83       Scanning memory_layer using BytesScanner

Progress:   96.35       Scanning memory_layer using BytesScanner

Progress:   96.88       Scanning memory_layer using BytesScanner

Progress:   97.40       Scanning memory_layer using BytesScanner

Progress:   97.92       Scanning memory_layer using BytesScanner

Progress:   98.44       Scanning memory_layer using BytesScanner

Progress:   98.96       Scanning memory_layer using BytesScanner

Progress:   99.48       Scanning memory_layer using BytesScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address

Progress:    0.00       Scanning memory_layer using PdbSignatureScanner
DEBUG    volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset did not map to expected location: 0x804d7000

Progress:    0.52       Scanning memory_layer using PdbSignatureScanner

Progress:    1.04       Scanning memory_layer using PdbSignatureScanner

Progress:    1.56       Scanning memory_layer using PdbSignatureScanner

Progress:    2.08       Scanning memory_layer using PdbSignatureScanner

Progress:    2.60       Scanning memory_layer using PdbSignatureScanner

Progress:    3.13       Scanning memory_layer using PdbSignatureScanner

Progress:    3.65       Scanning memory_layer using PdbSignatureScanner

Progress:    4.17       Scanning memory_layer using PdbSignatureScanner

Progress:    4.69       Scanning memory_layer using PdbSignatureScanner

Progress:    5.21       Scanning memory_layer using PdbSignatureScanner

Progress:    5.73       Scanning memory_layer using PdbSignatureScanner

Progress:    6.25       Scanning memory_layer using PdbSignatureScanner

Progress:    6.77       Scanning memory_layer using PdbSignatureScanner

Progress:    7.29       Scanning memory_layer using PdbSignatureScanner

Progress:    7.81       Scanning memory_layer using PdbSignatureScanner

Progress:    8.33       Scanning memory_layer using PdbSignatureScanner

Progress:    8.85       Scanning memory_layer using PdbSignatureScanner

Progress:    9.38       Scanning memory_layer using PdbSignatureScanner

Progress:    9.90       Scanning memory_layer using PdbSignatureScanner

Progress:   10.42       Scanning memory_layer using PdbSignatureScanner

Progress:   10.94       Scanning memory_layer using PdbSignatureScanner

Progress:   11.46       Scanning memory_layer using PdbSignatureScanner

Progress:   11.98       Scanning memory_layer using PdbSignatureScanner

Progress:   12.50       Scanning memory_layer using PdbSignatureScanner

Progress:   13.02       Scanning memory_layer using PdbSignatureScanner

Progress:   13.54       Scanning memory_layer using PdbSignatureScanner

Progress:   14.06       Scanning memory_layer using PdbSignatureScanner

Progress:   14.58       Scanning memory_layer using PdbSignatureScanner

Progress:   15.10       Scanning memory_layer using PdbSignatureScanner

Progress:   15.63       Scanning memory_layer using PdbSignatureScanner

Progress:   16.15       Scanning memory_layer using PdbSignatureScanner

Progress:   16.67       Scanning memory_layer using PdbSignatureScanner

Progress:   17.19       Scanning memory_layer using PdbSignatureScanner

Progress:   17.71       Scanning memory_layer using PdbSignatureScanner

Progress:   18.23       Scanning memory_layer using PdbSignatureScanner

Progress:   18.75       Scanning memory_layer using PdbSignatureScanner

Progress:   19.27       Scanning memory_layer using PdbSignatureScanner

Progress:   19.79       Scanning memory_layer using PdbSignatureScanner

Progress:   20.31       Scanning memory_layer using PdbSignatureScanner

Progress:   20.83       Scanning memory_layer using PdbSignatureScanner

Progress:   21.35       Scanning memory_layer using PdbSignatureScanner

Progress:   21.88       Scanning memory_layer using PdbSignatureScanner

Progress:   22.40       Scanning memory_layer using PdbSignatureScanner

Progress:   22.92       Scanning memory_layer using PdbSignatureScanner

Progress:   23.44       Scanning memory_layer using PdbSignatureScanner

Progress:   23.96       Scanning memory_layer using PdbSignatureScanner

Progress:   24.48       Scanning memory_layer using PdbSignatureScanner

Progress:   25.00       Scanning memory_layer using PdbSignatureScanner

Progress:   25.52       Scanning memory_layer using PdbSignatureScanner

Progress:   26.04       Scanning memory_layer using PdbSignatureScanner

Progress:   26.56       Scanning memory_layer using PdbSignatureScanner

Progress:   27.08       Scanning memory_layer using PdbSignatureScanner

Progress:   27.60       Scanning memory_layer using PdbSignatureScanner

Progress:   28.13       Scanning memory_layer using PdbSignatureScanner

Progress:   28.65       Scanning memory_layer using PdbSignatureScanner

Progress:   29.17       Scanning memory_layer using PdbSignatureScanner

Progress:   29.69       Scanning memory_layer using PdbSignatureScanner

Progress:   30.21       Scanning memory_layer using PdbSignatureScanner

Progress:   30.73       Scanning memory_layer using PdbSignatureScanner

Progress:   31.25       Scanning memory_layer using PdbSignatureScanner

Progress:   31.77       Scanning memory_layer using PdbSignatureScanner

Progress:   32.29       Scanning memory_layer using PdbSignatureScanner

Progress:   32.81       Scanning memory_layer using PdbSignatureScanner

Progress:   33.33       Scanning memory_layer using PdbSignatureScanner

Progress:   33.85       Scanning memory_layer using PdbSignatureScanner

Progress:   34.38       Scanning memory_layer using PdbSignatureScanner

Progress:   34.90       Scanning memory_layer using PdbSignatureScanner

Progress:   35.42       Scanning memory_layer using PdbSignatureScanner

Progress:   35.94       Scanning memory_layer using PdbSignatureScanner

Progress:   36.46       Scanning memory_layer using PdbSignatureScanner

Progress:   36.98       Scanning memory_layer using PdbSignatureScanner

Progress:   37.50       Scanning memory_layer using PdbSignatureScanner

Progress:   38.02       Scanning memory_layer using PdbSignatureScanner

Progress:   38.54       Scanning memory_layer using PdbSignatureScanner

Progress:   39.06       Scanning memory_layer using PdbSignatureScanner

Progress:   39.58       Scanning memory_layer using PdbSignatureScanner

Progress:   40.10       Scanning memory_layer using PdbSignatureScanner

Progress:   40.63       Scanning memory_layer using PdbSignatureScanner

Progress:   41.15       Scanning memory_layer using PdbSignatureScanner

Progress:   41.67       Scanning memory_layer using PdbSignatureScanner

Progress:   42.19       Scanning memory_layer using PdbSignatureScanner

Progress:   42.71       Scanning memory_layer using PdbSignatureScanner

Progress:   43.23       Scanning memory_layer using PdbSignatureScanner

Progress:   43.75       Scanning memory_layer using PdbSignatureScanner

Progress:   44.27       Scanning memory_layer using PdbSignatureScanner

Progress:   44.79       Scanning memory_layer using PdbSignatureScanner

Progress:   45.31       Scanning memory_layer using PdbSignatureScanner

Progress:   45.83       Scanning memory_layer using PdbSignatureScanner

Progress:   46.35       Scanning memory_layer using PdbSignatureScanner

Progress:   46.88       Scanning memory_layer using PdbSignatureScanner

Progress:   47.40       Scanning memory_layer using PdbSignatureScanner

Progress:   47.92       Scanning memory_layer using PdbSignatureScanner

Progress:   48.44       Scanning memory_layer using PdbSignatureScanner

Progress:   48.96       Scanning memory_layer using PdbSignatureScanner

Progress:   49.48       Scanning memory_layer using PdbSignatureScanner

Progress:   50.00       Scanning memory_layer using PdbSignatureScanner

Progress:   50.52       Scanning memory_layer using PdbSignatureScanner

Progress:   51.04       Scanning memory_layer using PdbSignatureScanner

Progress:   51.56       Scanning memory_layer using PdbSignatureScanner

Progress:   52.08       Scanning memory_layer using PdbSignatureScanner

Progress:   52.60       Scanning memory_layer using PdbSignatureScanner

Progress:   53.13       Scanning memory_layer using PdbSignatureScanner

Progress:   53.65       Scanning memory_layer using PdbSignatureScanner

Progress:   54.17       Scanning memory_layer using PdbSignatureScanner

Progress:   54.69       Scanning memory_layer using PdbSignatureScanner

Progress:   55.21       Scanning memory_layer using PdbSignatureScanner

Progress:   55.73       Scanning memory_layer using PdbSignatureScanner

Progress:   56.25       Scanning memory_layer using PdbSignatureScanner

Progress:   56.77       Scanning memory_layer using PdbSignatureScanner

Progress:   57.29       Scanning memory_layer using PdbSignatureScanner

Progress:   57.81       Scanning memory_layer using PdbSignatureScanner

Progress:   58.33       Scanning memory_layer using PdbSignatureScanner

Progress:   58.85       Scanning memory_layer using PdbSignatureScanner

Progress:   59.38       Scanning memory_layer using PdbSignatureScanner

Progress:   59.90       Scanning memory_layer using PdbSignatureScanner

Progress:   60.42       Scanning memory_layer using PdbSignatureScanner

Progress:   60.94       Scanning memory_layer using PdbSignatureScanner

Progress:   61.46       Scanning memory_layer using PdbSignatureScanner

Progress:   61.98       Scanning memory_layer using PdbSignatureScanner

Progress:   62.50       Scanning memory_layer using PdbSignatureScanner

Progress:   63.02       Scanning memory_layer using PdbSignatureScanner

Progress:   63.54       Scanning memory_layer using PdbSignatureScanner

Progress:   64.06       Scanning memory_layer using PdbSignatureScanner

Progress:   64.58       Scanning memory_layer using PdbSignatureScanner

Progress:   65.10       Scanning memory_layer using PdbSignatureScanner

Progress:   65.63       Scanning memory_layer using PdbSignatureScanner

Progress:   66.15       Scanning memory_layer using PdbSignatureScanner

Progress:   66.67       Scanning memory_layer using PdbSignatureScanner

Progress:   67.19       Scanning memory_layer using PdbSignatureScanner

Progress:   67.71       Scanning memory_layer using PdbSignatureScanner

Progress:   68.23       Scanning memory_layer using PdbSignatureScanner

Progress:   68.75       Scanning memory_layer using PdbSignatureScanner

Progress:   69.27       Scanning memory_layer using PdbSignatureScanner

Progress:   69.79       Scanning memory_layer using PdbSignatureScanner

Progress:   70.31       Scanning memory_layer using PdbSignatureScanner

Progress:   70.83       Scanning memory_layer using PdbSignatureScanner

Progress:   71.35       Scanning memory_layer using PdbSignatureScanner

Progress:   71.88       Scanning memory_layer using PdbSignatureScanner

Progress:   72.40       Scanning memory_layer using PdbSignatureScanner

Progress:   72.92       Scanning memory_layer using PdbSignatureScanner

Progress:   73.44       Scanning memory_layer using PdbSignatureScanner

Progress:   73.96       Scanning memory_layer using PdbSignatureScanner

Progress:   74.48       Scanning memory_layer using PdbSignatureScanner

Progress:   75.00       Scanning memory_layer using PdbSignatureScanner

Progress:   75.52       Scanning memory_layer using PdbSignatureScanner

Progress:   76.04       Scanning memory_layer using PdbSignatureScanner

Progress:   76.56       Scanning memory_layer using PdbSignatureScanner

Progress:   77.08       Scanning memory_layer using PdbSignatureScanner

Progress:   77.60       Scanning memory_layer using PdbSignatureScanner

Progress:   78.13       Scanning memory_layer using PdbSignatureScanner

Progress:   78.65       Scanning memory_layer using PdbSignatureScanner

Progress:   79.17       Scanning memory_layer using PdbSignatureScanner

Progress:   79.69       Scanning memory_layer using PdbSignatureScanner

Progress:   80.21       Scanning memory_layer using PdbSignatureScanner

Progress:   80.73       Scanning memory_layer using PdbSignatureScanner

Progress:   81.25       Scanning memory_layer using PdbSignatureScanner

Progress:   81.77       Scanning memory_layer using PdbSignatureScanner

Progress:   82.29       Scanning memory_layer using PdbSignatureScanner

Progress:   82.81       Scanning memory_layer using PdbSignatureScanner

Progress:   83.33       Scanning memory_layer using PdbSignatureScanner

Progress:   83.85       Scanning memory_layer using PdbSignatureScanner

Progress:   84.38       Scanning memory_layer using PdbSignatureScanner

Progress:   84.90       Scanning memory_layer using PdbSignatureScanner

Progress:   85.42       Scanning memory_layer using PdbSignatureScanner

Progress:   85.94       Scanning memory_layer using PdbSignatureScanner

Progress:   86.46       Scanning memory_layer using PdbSignatureScanner

Progress:   86.98       Scanning memory_layer using PdbSignatureScanner

Progress:   87.50       Scanning memory_layer using PdbSignatureScanner

Progress:   88.02       Scanning memory_layer using PdbSignatureScanner

Progress:   88.54       Scanning memory_layer using PdbSignatureScanner

Progress:   89.06       Scanning memory_layer using PdbSignatureScanner

Progress:   89.58       Scanning memory_layer using PdbSignatureScanner

Progress:   90.10       Scanning memory_layer using PdbSignatureScanner

Progress:   90.63       Scanning memory_layer using PdbSignatureScanner

Progress:   91.15       Scanning memory_layer using PdbSignatureScanner

Progress:   91.67       Scanning memory_layer using PdbSignatureScanner

Progress:   92.19       Scanning memory_layer using PdbSignatureScanner

Progress:   92.71       Scanning memory_layer using PdbSignatureScanner

Progress:   93.23       Scanning memory_layer using PdbSignatureScanner

Progress:   93.75       Scanning memory_layer using PdbSignatureScanner

Progress:   94.27       Scanning memory_layer using PdbSignatureScanner

Progress:   94.79       Scanning memory_layer using PdbSignatureScanner

Progress:   95.31       Scanning memory_layer using PdbSignatureScanner

Progress:   95.83       Scanning memory_layer using PdbSignatureScanner

Progress:   96.35       Scanning memory_layer using PdbSignatureScanner

Progress:   96.88       Scanning memory_layer using PdbSignatureScanner

Progress:   97.40       Scanning memory_layer using PdbSignatureScanner

Progress:   97.92       Scanning memory_layer using PdbSignatureScanner

Progress:   98.44       Scanning memory_layer using PdbSignatureScanner

Progress:   98.96       Scanning memory_layer using PdbSignatureScanner

Progress:   99.48       Scanning memory_layer using PdbSignatureScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer

Progress:    0.00       Scanning primary using PdbSignatureScanner     

Progress:    0.00       Scanning primary using PdbSignatureScanner     

Progress:    0.39       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
WARNING  volatility3.framework.plugins: Automagic exception occurred: TypeError: 'NoneType' object cannot be interpreted as an integer
Level 9  volatility3.framework.plugins: Traceback (most recent call last):
  File "/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic/__init__.py", line 131, in run
    automagic(context, config_path, requirement, progress_callback)
  File "/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic/pdbscan.py", line 329, in __call__
    self.set_kernel_virtual_offset(context, valid_kernel)
  File "/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic/pdbscan.py", line 130, in set_kernel_virtual_offset
    vollog.debug("Setting kernel_virtual_offset to {}".format(hex(kvo)))
TypeError: 'NoneType' object cannot be interpreted as an integer

Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']
Volatility 3 Framework 1.1.1

Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner

I hope this helps

ikelos commented 3 years ago

It does, thanks...

I'm really not sure how we're ending up with a kvo of None, all the paths that seem to lead don't appear to allow it to happen, but I guess it's possible?

I've added a check that should prevent it throwing the error, could you please check commit 30eec0cb to see if that improves matters?

Wenzel commented 3 years ago

Here is the output with https://github.com/volatilityfoundation/volatility3/commit/30eec0cb761b73d3723a7928ec8a1774f75e9b7a

Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/microvmi/volatility, /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/plugins, /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/plugins
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: yarascan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows/cachedump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: windows/callbacks
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows/hashdump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows/vadyarascan
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: windows/svcscan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows/lsadump
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic
Level 7  volatility3.cli: Cache directory used: /home/mtarral/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a windows category plugin
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, VMIHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x620000
Level 8  volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']

Progress:  100.00       Stacking attempts finished
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: WintelHelper
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure

Progress:    0.00       Scanning memory_layer using BytesScanner

Progress:    0.52       Scanning memory_layer using BytesScanner

Progress:    1.04       Scanning memory_layer using BytesScanner

Progress:    1.56       Scanning memory_layer using BytesScanner

Progress:    2.08       Scanning memory_layer using BytesScanner

Progress:    2.60       Scanning memory_layer using BytesScanner

Progress:    3.13       Scanning memory_layer using BytesScanner

Progress:    3.65       Scanning memory_layer using BytesScanner

Progress:    4.17       Scanning memory_layer using BytesScanner

Progress:    4.69       Scanning memory_layer using BytesScanner

Progress:    5.21       Scanning memory_layer using BytesScanner

Progress:    5.73       Scanning memory_layer using BytesScanner

Progress:    6.25       Scanning memory_layer using BytesScanner

Progress:    6.77       Scanning memory_layer using BytesScanner

Progress:    7.29       Scanning memory_layer using BytesScanner

Progress:    7.81       Scanning memory_layer using BytesScanner

Progress:    8.33       Scanning memory_layer using BytesScanner

Progress:    8.85       Scanning memory_layer using BytesScanner

Progress:    9.38       Scanning memory_layer using BytesScanner

Progress:    9.90       Scanning memory_layer using BytesScanner

Progress:   10.42       Scanning memory_layer using BytesScanner

Progress:   10.94       Scanning memory_layer using BytesScanner

Progress:   11.46       Scanning memory_layer using BytesScanner

Progress:   11.98       Scanning memory_layer using BytesScanner

Progress:   12.50       Scanning memory_layer using BytesScanner

Progress:   13.02       Scanning memory_layer using BytesScanner

Progress:   13.54       Scanning memory_layer using BytesScanner

Progress:   14.06       Scanning memory_layer using BytesScanner

Progress:   14.58       Scanning memory_layer using BytesScanner

Progress:   15.10       Scanning memory_layer using BytesScanner

Progress:   15.63       Scanning memory_layer using BytesScanner

Progress:   16.15       Scanning memory_layer using BytesScanner

Progress:   16.67       Scanning memory_layer using BytesScanner

Progress:   17.19       Scanning memory_layer using BytesScanner

Progress:   17.71       Scanning memory_layer using BytesScanner

Progress:   18.23       Scanning memory_layer using BytesScanner

Progress:   18.75       Scanning memory_layer using BytesScanner

Progress:   19.27       Scanning memory_layer using BytesScanner

Progress:   19.79       Scanning memory_layer using BytesScanner

Progress:   20.31       Scanning memory_layer using BytesScanner

Progress:   20.83       Scanning memory_layer using BytesScanner

Progress:   21.35       Scanning memory_layer using BytesScanner

Progress:   21.88       Scanning memory_layer using BytesScanner

Progress:   22.40       Scanning memory_layer using BytesScanner

Progress:   22.92       Scanning memory_layer using BytesScanner

Progress:   23.44       Scanning memory_layer using BytesScanner

Progress:   23.96       Scanning memory_layer using BytesScanner

Progress:   24.48       Scanning memory_layer using BytesScanner

Progress:   25.00       Scanning memory_layer using BytesScanner

Progress:   25.52       Scanning memory_layer using BytesScanner

Progress:   26.04       Scanning memory_layer using BytesScanner

Progress:   26.56       Scanning memory_layer using BytesScanner

Progress:   27.08       Scanning memory_layer using BytesScanner

Progress:   27.60       Scanning memory_layer using BytesScanner

Progress:   28.13       Scanning memory_layer using BytesScanner

Progress:   28.65       Scanning memory_layer using BytesScanner

Progress:   29.17       Scanning memory_layer using BytesScanner

Progress:   29.69       Scanning memory_layer using BytesScanner

Progress:   30.21       Scanning memory_layer using BytesScanner

Progress:   30.73       Scanning memory_layer using BytesScanner

Progress:   31.25       Scanning memory_layer using BytesScanner

Progress:   31.77       Scanning memory_layer using BytesScanner

Progress:   32.29       Scanning memory_layer using BytesScanner

Progress:   32.81       Scanning memory_layer using BytesScanner

Progress:   33.33       Scanning memory_layer using BytesScanner

Progress:   33.85       Scanning memory_layer using BytesScanner

Progress:   34.38       Scanning memory_layer using BytesScanner

Progress:   34.90       Scanning memory_layer using BytesScanner

Progress:   35.42       Scanning memory_layer using BytesScanner

Progress:   35.94       Scanning memory_layer using BytesScanner

Progress:   36.46       Scanning memory_layer using BytesScanner

Progress:   36.98       Scanning memory_layer using BytesScanner

Progress:   37.50       Scanning memory_layer using BytesScanner

Progress:   38.02       Scanning memory_layer using BytesScanner

Progress:   38.54       Scanning memory_layer using BytesScanner

Progress:   39.06       Scanning memory_layer using BytesScanner

Progress:   39.58       Scanning memory_layer using BytesScanner

Progress:   40.10       Scanning memory_layer using BytesScanner

Progress:   40.63       Scanning memory_layer using BytesScanner

Progress:   41.15       Scanning memory_layer using BytesScanner

Progress:   41.67       Scanning memory_layer using BytesScanner

Progress:   42.19       Scanning memory_layer using BytesScanner

Progress:   42.71       Scanning memory_layer using BytesScanner

Progress:   43.23       Scanning memory_layer using BytesScanner

Progress:   43.75       Scanning memory_layer using BytesScanner

Progress:   44.27       Scanning memory_layer using BytesScanner

Progress:   44.79       Scanning memory_layer using BytesScanner

Progress:   45.31       Scanning memory_layer using BytesScanner

Progress:   45.83       Scanning memory_layer using BytesScanner

Progress:   46.35       Scanning memory_layer using BytesScanner

Progress:   46.88       Scanning memory_layer using BytesScanner

Progress:   47.40       Scanning memory_layer using BytesScanner

Progress:   47.92       Scanning memory_layer using BytesScanner

Progress:   48.44       Scanning memory_layer using BytesScanner

Progress:   48.96       Scanning memory_layer using BytesScanner

Progress:   49.48       Scanning memory_layer using BytesScanner

Progress:   50.00       Scanning memory_layer using BytesScanner

Progress:   50.52       Scanning memory_layer using BytesScanner

Progress:   51.04       Scanning memory_layer using BytesScanner

Progress:   51.56       Scanning memory_layer using BytesScanner

Progress:   52.08       Scanning memory_layer using BytesScanner

Progress:   52.60       Scanning memory_layer using BytesScanner

Progress:   53.13       Scanning memory_layer using BytesScanner

Progress:   53.65       Scanning memory_layer using BytesScanner

Progress:   54.17       Scanning memory_layer using BytesScanner

Progress:   54.69       Scanning memory_layer using BytesScanner

Progress:   55.21       Scanning memory_layer using BytesScanner

Progress:   55.73       Scanning memory_layer using BytesScanner

Progress:   56.25       Scanning memory_layer using BytesScanner

Progress:   56.77       Scanning memory_layer using BytesScanner

Progress:   57.29       Scanning memory_layer using BytesScanner

Progress:   57.81       Scanning memory_layer using BytesScanner

Progress:   58.33       Scanning memory_layer using BytesScanner

Progress:   58.85       Scanning memory_layer using BytesScanner

Progress:   59.38       Scanning memory_layer using BytesScanner

Progress:   59.90       Scanning memory_layer using BytesScanner

Progress:   60.42       Scanning memory_layer using BytesScanner

Progress:   60.94       Scanning memory_layer using BytesScanner

Progress:   61.46       Scanning memory_layer using BytesScanner

Progress:   61.98       Scanning memory_layer using BytesScanner

Progress:   62.50       Scanning memory_layer using BytesScanner

Progress:   63.02       Scanning memory_layer using BytesScanner

Progress:   63.54       Scanning memory_layer using BytesScanner

Progress:   64.06       Scanning memory_layer using BytesScanner

Progress:   64.58       Scanning memory_layer using BytesScanner

Progress:   65.10       Scanning memory_layer using BytesScanner

Progress:   65.63       Scanning memory_layer using BytesScanner

Progress:   66.15       Scanning memory_layer using BytesScanner

Progress:   66.67       Scanning memory_layer using BytesScanner

Progress:   67.19       Scanning memory_layer using BytesScanner

Progress:   67.71       Scanning memory_layer using BytesScanner

Progress:   68.23       Scanning memory_layer using BytesScanner

Progress:   68.75       Scanning memory_layer using BytesScanner

Progress:   69.27       Scanning memory_layer using BytesScanner

Progress:   69.79       Scanning memory_layer using BytesScanner

Progress:   70.31       Scanning memory_layer using BytesScanner

Progress:   70.83       Scanning memory_layer using BytesScanner

Progress:   71.35       Scanning memory_layer using BytesScanner

Progress:   71.88       Scanning memory_layer using BytesScanner

Progress:   72.40       Scanning memory_layer using BytesScanner

Progress:   72.92       Scanning memory_layer using BytesScanner

Progress:   73.44       Scanning memory_layer using BytesScanner

Progress:   73.96       Scanning memory_layer using BytesScanner

Progress:   74.48       Scanning memory_layer using BytesScanner

Progress:   75.00       Scanning memory_layer using BytesScanner

Progress:   75.52       Scanning memory_layer using BytesScanner

Progress:   76.04       Scanning memory_layer using BytesScanner

Progress:   76.56       Scanning memory_layer using BytesScanner

Progress:   77.08       Scanning memory_layer using BytesScanner

Progress:   77.60       Scanning memory_layer using BytesScanner

Progress:   78.13       Scanning memory_layer using BytesScanner

Progress:   78.65       Scanning memory_layer using BytesScanner

Progress:   79.17       Scanning memory_layer using BytesScanner

Progress:   79.69       Scanning memory_layer using BytesScanner

Progress:   80.21       Scanning memory_layer using BytesScanner

Progress:   80.73       Scanning memory_layer using BytesScanner

Progress:   81.25       Scanning memory_layer using BytesScanner

Progress:   81.77       Scanning memory_layer using BytesScanner

Progress:   82.29       Scanning memory_layer using BytesScanner

Progress:   82.81       Scanning memory_layer using BytesScanner

Progress:   83.33       Scanning memory_layer using BytesScanner

Progress:   83.85       Scanning memory_layer using BytesScanner

Progress:   84.38       Scanning memory_layer using BytesScanner

Progress:   84.90       Scanning memory_layer using BytesScanner

Progress:   85.42       Scanning memory_layer using BytesScanner

Progress:   85.94       Scanning memory_layer using BytesScanner

Progress:   86.46       Scanning memory_layer using BytesScanner

Progress:   86.98       Scanning memory_layer using BytesScanner

Progress:   87.50       Scanning memory_layer using BytesScanner

Progress:   88.02       Scanning memory_layer using BytesScanner

Progress:   88.54       Scanning memory_layer using BytesScanner

Progress:   89.06       Scanning memory_layer using BytesScanner

Progress:   89.58       Scanning memory_layer using BytesScanner

Progress:   90.10       Scanning memory_layer using BytesScanner

Progress:   90.63       Scanning memory_layer using BytesScanner

Progress:   91.15       Scanning memory_layer using BytesScanner

Progress:   91.67       Scanning memory_layer using BytesScanner

Progress:   92.19       Scanning memory_layer using BytesScanner

Progress:   92.71       Scanning memory_layer using BytesScanner

Progress:   93.23       Scanning memory_layer using BytesScanner

Progress:   93.75       Scanning memory_layer using BytesScanner

Progress:   94.27       Scanning memory_layer using BytesScanner

Progress:   94.79       Scanning memory_layer using BytesScanner

Progress:   95.31       Scanning memory_layer using BytesScanner

Progress:   95.83       Scanning memory_layer using BytesScanner

Progress:   96.35       Scanning memory_layer using BytesScanner

Progress:   96.88       Scanning memory_layer using BytesScanner

Progress:   97.40       Scanning memory_layer using BytesScanner

Progress:   97.92       Scanning memory_layer using BytesScanner

Progress:   98.44       Scanning memory_layer using BytesScanner

Progress:   98.96       Scanning memory_layer using BytesScanner

Progress:   99.48       Scanning memory_layer using BytesScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure

Progress:    0.00       Scanning memory_layer using BytesScanner

Progress:    0.52       Scanning memory_layer using BytesScanner

Progress:    1.04       Scanning memory_layer using BytesScanner

Progress:    1.56       Scanning memory_layer using BytesScanner

Progress:    2.08       Scanning memory_layer using BytesScanner

Progress:    2.60       Scanning memory_layer using BytesScanner

Progress:    3.13       Scanning memory_layer using BytesScanner

Progress:    3.65       Scanning memory_layer using BytesScanner

Progress:    4.17       Scanning memory_layer using BytesScanner

Progress:    4.69       Scanning memory_layer using BytesScanner

Progress:    5.21       Scanning memory_layer using BytesScanner

Progress:    5.73       Scanning memory_layer using BytesScanner

Progress:    6.25       Scanning memory_layer using BytesScanner

Progress:    6.77       Scanning memory_layer using BytesScanner

Progress:    7.29       Scanning memory_layer using BytesScanner

Progress:    7.81       Scanning memory_layer using BytesScanner

Progress:    8.33       Scanning memory_layer using BytesScanner

Progress:    8.85       Scanning memory_layer using BytesScanner

Progress:    9.38       Scanning memory_layer using BytesScanner

Progress:    9.90       Scanning memory_layer using BytesScanner

Progress:   10.42       Scanning memory_layer using BytesScanner

Progress:   10.94       Scanning memory_layer using BytesScanner

Progress:   11.46       Scanning memory_layer using BytesScanner

Progress:   11.98       Scanning memory_layer using BytesScanner

Progress:   12.50       Scanning memory_layer using BytesScanner

Progress:   13.02       Scanning memory_layer using BytesScanner

Progress:   13.54       Scanning memory_layer using BytesScanner

Progress:   14.06       Scanning memory_layer using BytesScanner

Progress:   14.58       Scanning memory_layer using BytesScanner

Progress:   15.10       Scanning memory_layer using BytesScanner

Progress:   15.63       Scanning memory_layer using BytesScanner

Progress:   16.15       Scanning memory_layer using BytesScanner

Progress:   16.67       Scanning memory_layer using BytesScanner

Progress:   17.19       Scanning memory_layer using BytesScanner

Progress:   17.71       Scanning memory_layer using BytesScanner

Progress:   18.23       Scanning memory_layer using BytesScanner

Progress:   18.75       Scanning memory_layer using BytesScanner

Progress:   19.27       Scanning memory_layer using BytesScanner

Progress:   19.79       Scanning memory_layer using BytesScanner

Progress:   20.31       Scanning memory_layer using BytesScanner

Progress:   20.83       Scanning memory_layer using BytesScanner

Progress:   21.35       Scanning memory_layer using BytesScanner

Progress:   21.88       Scanning memory_layer using BytesScanner

Progress:   22.40       Scanning memory_layer using BytesScanner

Progress:   22.92       Scanning memory_layer using BytesScanner

Progress:   23.44       Scanning memory_layer using BytesScanner

Progress:   23.96       Scanning memory_layer using BytesScanner

Progress:   24.48       Scanning memory_layer using BytesScanner

Progress:   25.00       Scanning memory_layer using BytesScanner

Progress:   25.52       Scanning memory_layer using BytesScanner

Progress:   26.04       Scanning memory_layer using BytesScanner

Progress:   26.56       Scanning memory_layer using BytesScanner

Progress:   27.08       Scanning memory_layer using BytesScanner

Progress:   27.60       Scanning memory_layer using BytesScanner

Progress:   28.13       Scanning memory_layer using BytesScanner

Progress:   28.65       Scanning memory_layer using BytesScanner

Progress:   29.17       Scanning memory_layer using BytesScanner

Progress:   29.69       Scanning memory_layer using BytesScanner

Progress:   30.21       Scanning memory_layer using BytesScanner

Progress:   30.73       Scanning memory_layer using BytesScanner

Progress:   31.25       Scanning memory_layer using BytesScanner

Progress:   31.77       Scanning memory_layer using BytesScanner

Progress:   32.29       Scanning memory_layer using BytesScanner

Progress:   32.81       Scanning memory_layer using BytesScanner

Progress:   33.33       Scanning memory_layer using BytesScanner

Progress:   33.85       Scanning memory_layer using BytesScanner

Progress:   34.38       Scanning memory_layer using BytesScanner

Progress:   34.90       Scanning memory_layer using BytesScanner

Progress:   35.42       Scanning memory_layer using BytesScanner

Progress:   35.94       Scanning memory_layer using BytesScanner

Progress:   36.46       Scanning memory_layer using BytesScanner

Progress:   36.98       Scanning memory_layer using BytesScanner

Progress:   37.50       Scanning memory_layer using BytesScanner

Progress:   38.02       Scanning memory_layer using BytesScanner

Progress:   38.54       Scanning memory_layer using BytesScanner

Progress:   39.06       Scanning memory_layer using BytesScanner

Progress:   39.58       Scanning memory_layer using BytesScanner

Progress:   40.10       Scanning memory_layer using BytesScanner

Progress:   40.63       Scanning memory_layer using BytesScanner

Progress:   41.15       Scanning memory_layer using BytesScanner

Progress:   41.67       Scanning memory_layer using BytesScanner

Progress:   42.19       Scanning memory_layer using BytesScanner

Progress:   42.71       Scanning memory_layer using BytesScanner

Progress:   43.23       Scanning memory_layer using BytesScanner

Progress:   43.75       Scanning memory_layer using BytesScanner

Progress:   44.27       Scanning memory_layer using BytesScanner

Progress:   44.79       Scanning memory_layer using BytesScanner

Progress:   45.31       Scanning memory_layer using BytesScanner

Progress:   45.83       Scanning memory_layer using BytesScanner

Progress:   46.35       Scanning memory_layer using BytesScanner

Progress:   46.88       Scanning memory_layer using BytesScanner

Progress:   47.40       Scanning memory_layer using BytesScanner

Progress:   47.92       Scanning memory_layer using BytesScanner

Progress:   48.44       Scanning memory_layer using BytesScanner

Progress:   48.96       Scanning memory_layer using BytesScanner

Progress:   49.48       Scanning memory_layer using BytesScanner

Progress:   50.00       Scanning memory_layer using BytesScanner

Progress:   50.52       Scanning memory_layer using BytesScanner

Progress:   51.04       Scanning memory_layer using BytesScanner

Progress:   51.56       Scanning memory_layer using BytesScanner

Progress:   52.08       Scanning memory_layer using BytesScanner

Progress:   52.60       Scanning memory_layer using BytesScanner

Progress:   53.13       Scanning memory_layer using BytesScanner

Progress:   53.65       Scanning memory_layer using BytesScanner

Progress:   54.17       Scanning memory_layer using BytesScanner

Progress:   54.69       Scanning memory_layer using BytesScanner

Progress:   55.21       Scanning memory_layer using BytesScanner

Progress:   55.73       Scanning memory_layer using BytesScanner

Progress:   56.25       Scanning memory_layer using BytesScanner

Progress:   56.77       Scanning memory_layer using BytesScanner

Progress:   57.29       Scanning memory_layer using BytesScanner

Progress:   57.81       Scanning memory_layer using BytesScanner

Progress:   58.33       Scanning memory_layer using BytesScanner

Progress:   58.85       Scanning memory_layer using BytesScanner

Progress:   59.38       Scanning memory_layer using BytesScanner

Progress:   59.90       Scanning memory_layer using BytesScanner

Progress:   60.42       Scanning memory_layer using BytesScanner

Progress:   60.94       Scanning memory_layer using BytesScanner

Progress:   61.46       Scanning memory_layer using BytesScanner

Progress:   61.98       Scanning memory_layer using BytesScanner

Progress:   62.50       Scanning memory_layer using BytesScanner

Progress:   63.02       Scanning memory_layer using BytesScanner

Progress:   63.54       Scanning memory_layer using BytesScanner

Progress:   64.06       Scanning memory_layer using BytesScanner

Progress:   64.58       Scanning memory_layer using BytesScanner

Progress:   65.10       Scanning memory_layer using BytesScanner

Progress:   65.63       Scanning memory_layer using BytesScanner

Progress:   66.15       Scanning memory_layer using BytesScanner

Progress:   66.67       Scanning memory_layer using BytesScanner

Progress:   67.19       Scanning memory_layer using BytesScanner

Progress:   67.71       Scanning memory_layer using BytesScanner

Progress:   68.23       Scanning memory_layer using BytesScanner

Progress:   68.75       Scanning memory_layer using BytesScanner

Progress:   69.27       Scanning memory_layer using BytesScanner

Progress:   69.79       Scanning memory_layer using BytesScanner

Progress:   70.31       Scanning memory_layer using BytesScanner

Progress:   70.83       Scanning memory_layer using BytesScanner

Progress:   71.35       Scanning memory_layer using BytesScanner

Progress:   71.88       Scanning memory_layer using BytesScanner

Progress:   72.40       Scanning memory_layer using BytesScanner

Progress:   72.92       Scanning memory_layer using BytesScanner

Progress:   73.44       Scanning memory_layer using BytesScanner

Progress:   73.96       Scanning memory_layer using BytesScanner

Progress:   74.48       Scanning memory_layer using BytesScanner

Progress:   75.00       Scanning memory_layer using BytesScanner

Progress:   75.52       Scanning memory_layer using BytesScanner

Progress:   76.04       Scanning memory_layer using BytesScanner

Progress:   76.56       Scanning memory_layer using BytesScanner

Progress:   77.08       Scanning memory_layer using BytesScanner

Progress:   77.60       Scanning memory_layer using BytesScanner

Progress:   78.13       Scanning memory_layer using BytesScanner

Progress:   78.65       Scanning memory_layer using BytesScanner

Progress:   79.17       Scanning memory_layer using BytesScanner

Progress:   79.69       Scanning memory_layer using BytesScanner

Progress:   80.21       Scanning memory_layer using BytesScanner

Progress:   80.73       Scanning memory_layer using BytesScanner

Progress:   81.25       Scanning memory_layer using BytesScanner

Progress:   81.77       Scanning memory_layer using BytesScanner

Progress:   82.29       Scanning memory_layer using BytesScanner

Progress:   82.81       Scanning memory_layer using BytesScanner

Progress:   83.33       Scanning memory_layer using BytesScanner

Progress:   83.85       Scanning memory_layer using BytesScanner

Progress:   84.38       Scanning memory_layer using BytesScanner

Progress:   84.90       Scanning memory_layer using BytesScanner

Progress:   85.42       Scanning memory_layer using BytesScanner

Progress:   85.94       Scanning memory_layer using BytesScanner

Progress:   86.46       Scanning memory_layer using BytesScanner

Progress:   86.98       Scanning memory_layer using BytesScanner

Progress:   87.50       Scanning memory_layer using BytesScanner

Progress:   88.02       Scanning memory_layer using BytesScanner

Progress:   88.54       Scanning memory_layer using BytesScanner

Progress:   89.06       Scanning memory_layer using BytesScanner

Progress:   89.58       Scanning memory_layer using BytesScanner

Progress:   90.10       Scanning memory_layer using BytesScanner

Progress:   90.63       Scanning memory_layer using BytesScanner

Progress:   91.15       Scanning memory_layer using BytesScanner

Progress:   91.67       Scanning memory_layer using BytesScanner

Progress:   92.19       Scanning memory_layer using BytesScanner

Progress:   92.71       Scanning memory_layer using BytesScanner

Progress:   93.23       Scanning memory_layer using BytesScanner

Progress:   93.75       Scanning memory_layer using BytesScanner

Progress:   94.27       Scanning memory_layer using BytesScanner

Progress:   94.79       Scanning memory_layer using BytesScanner

Progress:   95.31       Scanning memory_layer using BytesScanner

Progress:   95.83       Scanning memory_layer using BytesScanner

Progress:   96.35       Scanning memory_layer using BytesScanner

Progress:   96.88       Scanning memory_layer using BytesScanner

Progress:   97.40       Scanning memory_layer using BytesScanner

Progress:   97.92       Scanning memory_layer using BytesScanner

Progress:   98.44       Scanning memory_layer using BytesScanner

Progress:   98.96       Scanning memory_layer using BytesScanner

Progress:   99.48       Scanning memory_layer using BytesScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address

Progress:    0.00       Scanning memory_layer using PdbSignatureScanner
DEBUG    volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset did not map to expected location: 0x804d7000

Progress:    0.52       Scanning memory_layer using PdbSignatureScanner

Progress:    1.04       Scanning memory_layer using PdbSignatureScanner

Progress:    1.56       Scanning memory_layer using PdbSignatureScanner

Progress:    2.08       Scanning memory_layer using PdbSignatureScanner

Progress:    2.60       Scanning memory_layer using PdbSignatureScanner

Progress:    3.13       Scanning memory_layer using PdbSignatureScanner

Progress:    3.65       Scanning memory_layer using PdbSignatureScanner

Progress:    4.17       Scanning memory_layer using PdbSignatureScanner

Progress:    4.69       Scanning memory_layer using PdbSignatureScanner

Progress:    5.21       Scanning memory_layer using PdbSignatureScanner

Progress:    5.73       Scanning memory_layer using PdbSignatureScanner

Progress:    6.25       Scanning memory_layer using PdbSignatureScanner

Progress:    6.77       Scanning memory_layer using PdbSignatureScanner

Progress:    7.29       Scanning memory_layer using PdbSignatureScanner

Progress:    7.81       Scanning memory_layer using PdbSignatureScanner

Progress:    8.33       Scanning memory_layer using PdbSignatureScanner

Progress:    8.85       Scanning memory_layer using PdbSignatureScanner

Progress:    9.38       Scanning memory_layer using PdbSignatureScanner

Progress:    9.90       Scanning memory_layer using PdbSignatureScanner

Progress:   10.42       Scanning memory_layer using PdbSignatureScanner

Progress:   10.94       Scanning memory_layer using PdbSignatureScanner

Progress:   11.46       Scanning memory_layer using PdbSignatureScanner

Progress:   11.98       Scanning memory_layer using PdbSignatureScanner

Progress:   12.50       Scanning memory_layer using PdbSignatureScanner

Progress:   13.02       Scanning memory_layer using PdbSignatureScanner

Progress:   13.54       Scanning memory_layer using PdbSignatureScanner

Progress:   14.06       Scanning memory_layer using PdbSignatureScanner

Progress:   14.58       Scanning memory_layer using PdbSignatureScanner

Progress:   15.10       Scanning memory_layer using PdbSignatureScanner

Progress:   15.63       Scanning memory_layer using PdbSignatureScanner

Progress:   16.15       Scanning memory_layer using PdbSignatureScanner

Progress:   16.67       Scanning memory_layer using PdbSignatureScanner

Progress:   17.19       Scanning memory_layer using PdbSignatureScanner

Progress:   17.71       Scanning memory_layer using PdbSignatureScanner

Progress:   18.23       Scanning memory_layer using PdbSignatureScanner

Progress:   18.75       Scanning memory_layer using PdbSignatureScanner

Progress:   19.27       Scanning memory_layer using PdbSignatureScanner

Progress:   19.79       Scanning memory_layer using PdbSignatureScanner

Progress:   20.31       Scanning memory_layer using PdbSignatureScanner

Progress:   20.83       Scanning memory_layer using PdbSignatureScanner

Progress:   21.35       Scanning memory_layer using PdbSignatureScanner

Progress:   21.88       Scanning memory_layer using PdbSignatureScanner

Progress:   22.40       Scanning memory_layer using PdbSignatureScanner

Progress:   22.92       Scanning memory_layer using PdbSignatureScanner

Progress:   23.44       Scanning memory_layer using PdbSignatureScanner

Progress:   23.96       Scanning memory_layer using PdbSignatureScanner

Progress:   24.48       Scanning memory_layer using PdbSignatureScanner

Progress:   25.00       Scanning memory_layer using PdbSignatureScanner

Progress:   25.52       Scanning memory_layer using PdbSignatureScanner

Progress:   26.04       Scanning memory_layer using PdbSignatureScanner

Progress:   26.56       Scanning memory_layer using PdbSignatureScanner

Progress:   27.08       Scanning memory_layer using PdbSignatureScanner

Progress:   27.60       Scanning memory_layer using PdbSignatureScanner

Progress:   28.13       Scanning memory_layer using PdbSignatureScanner

Progress:   28.65       Scanning memory_layer using PdbSignatureScanner

Progress:   29.17       Scanning memory_layer using PdbSignatureScanner

Progress:   29.69       Scanning memory_layer using PdbSignatureScanner

Progress:   30.21       Scanning memory_layer using PdbSignatureScanner

Progress:   30.73       Scanning memory_layer using PdbSignatureScanner

Progress:   31.25       Scanning memory_layer using PdbSignatureScanner

Progress:   31.77       Scanning memory_layer using PdbSignatureScanner

Progress:   32.29       Scanning memory_layer using PdbSignatureScanner

Progress:   32.81       Scanning memory_layer using PdbSignatureScanner

Progress:   33.33       Scanning memory_layer using PdbSignatureScanner

Progress:   33.85       Scanning memory_layer using PdbSignatureScanner

Progress:   34.38       Scanning memory_layer using PdbSignatureScanner

Progress:   34.90       Scanning memory_layer using PdbSignatureScanner

Progress:   35.42       Scanning memory_layer using PdbSignatureScanner

Progress:   35.94       Scanning memory_layer using PdbSignatureScanner

Progress:   36.46       Scanning memory_layer using PdbSignatureScanner

Progress:   36.98       Scanning memory_layer using PdbSignatureScanner

Progress:   37.50       Scanning memory_layer using PdbSignatureScanner

Progress:   38.02       Scanning memory_layer using PdbSignatureScanner

Progress:   38.54       Scanning memory_layer using PdbSignatureScanner

Progress:   39.06       Scanning memory_layer using PdbSignatureScanner

Progress:   39.58       Scanning memory_layer using PdbSignatureScanner

Progress:   40.10       Scanning memory_layer using PdbSignatureScanner

Progress:   40.63       Scanning memory_layer using PdbSignatureScanner

Progress:   41.15       Scanning memory_layer using PdbSignatureScanner

Progress:   41.67       Scanning memory_layer using PdbSignatureScanner

Progress:   42.19       Scanning memory_layer using PdbSignatureScanner

Progress:   42.71       Scanning memory_layer using PdbSignatureScanner

Progress:   43.23       Scanning memory_layer using PdbSignatureScanner

Progress:   43.75       Scanning memory_layer using PdbSignatureScanner

Progress:   44.27       Scanning memory_layer using PdbSignatureScanner

Progress:   44.79       Scanning memory_layer using PdbSignatureScanner

Progress:   45.31       Scanning memory_layer using PdbSignatureScanner

Progress:   45.83       Scanning memory_layer using PdbSignatureScanner

Progress:   46.35       Scanning memory_layer using PdbSignatureScanner

Progress:   46.88       Scanning memory_layer using PdbSignatureScanner

Progress:   47.40       Scanning memory_layer using PdbSignatureScanner

Progress:   47.92       Scanning memory_layer using PdbSignatureScanner

Progress:   48.44       Scanning memory_layer using PdbSignatureScanner

Progress:   48.96       Scanning memory_layer using PdbSignatureScanner

Progress:   49.48       Scanning memory_layer using PdbSignatureScanner

Progress:   50.00       Scanning memory_layer using PdbSignatureScanner

Progress:   50.52       Scanning memory_layer using PdbSignatureScanner

Progress:   51.04       Scanning memory_layer using PdbSignatureScanner

Progress:   51.56       Scanning memory_layer using PdbSignatureScanner

Progress:   52.08       Scanning memory_layer using PdbSignatureScanner

Progress:   52.60       Scanning memory_layer using PdbSignatureScanner

Progress:   53.13       Scanning memory_layer using PdbSignatureScanner

Progress:   53.65       Scanning memory_layer using PdbSignatureScanner

Progress:   54.17       Scanning memory_layer using PdbSignatureScanner

Progress:   54.69       Scanning memory_layer using PdbSignatureScanner

Progress:   55.21       Scanning memory_layer using PdbSignatureScanner

Progress:   55.73       Scanning memory_layer using PdbSignatureScanner

Progress:   56.25       Scanning memory_layer using PdbSignatureScanner

Progress:   56.77       Scanning memory_layer using PdbSignatureScanner

Progress:   57.29       Scanning memory_layer using PdbSignatureScanner

Progress:   57.81       Scanning memory_layer using PdbSignatureScanner

Progress:   58.33       Scanning memory_layer using PdbSignatureScanner

Progress:   58.85       Scanning memory_layer using PdbSignatureScanner

Progress:   59.38       Scanning memory_layer using PdbSignatureScanner

Progress:   59.90       Scanning memory_layer using PdbSignatureScanner

Progress:   60.42       Scanning memory_layer using PdbSignatureScanner

Progress:   60.94       Scanning memory_layer using PdbSignatureScanner

Progress:   61.46       Scanning memory_layer using PdbSignatureScanner

Progress:   61.98       Scanning memory_layer using PdbSignatureScanner

Progress:   62.50       Scanning memory_layer using PdbSignatureScanner

Progress:   63.02       Scanning memory_layer using PdbSignatureScanner

Progress:   63.54       Scanning memory_layer using PdbSignatureScanner

Progress:   64.06       Scanning memory_layer using PdbSignatureScanner

Progress:   64.58       Scanning memory_layer using PdbSignatureScanner

Progress:   65.10       Scanning memory_layer using PdbSignatureScanner

Progress:   65.63       Scanning memory_layer using PdbSignatureScanner

Progress:   66.15       Scanning memory_layer using PdbSignatureScanner

Progress:   66.67       Scanning memory_layer using PdbSignatureScanner

Progress:   67.19       Scanning memory_layer using PdbSignatureScanner

Progress:   67.71       Scanning memory_layer using PdbSignatureScanner

Progress:   68.23       Scanning memory_layer using PdbSignatureScanner

Progress:   68.75       Scanning memory_layer using PdbSignatureScanner

Progress:   69.27       Scanning memory_layer using PdbSignatureScanner

Progress:   69.79       Scanning memory_layer using PdbSignatureScanner

Progress:   70.31       Scanning memory_layer using PdbSignatureScanner

Progress:   70.83       Scanning memory_layer using PdbSignatureScanner

Progress:   71.35       Scanning memory_layer using PdbSignatureScanner

Progress:   71.88       Scanning memory_layer using PdbSignatureScanner

Progress:   72.40       Scanning memory_layer using PdbSignatureScanner

Progress:   72.92       Scanning memory_layer using PdbSignatureScanner

Progress:   73.44       Scanning memory_layer using PdbSignatureScanner

Progress:   73.96       Scanning memory_layer using PdbSignatureScanner

Progress:   74.48       Scanning memory_layer using PdbSignatureScanner

Progress:   75.00       Scanning memory_layer using PdbSignatureScanner

Progress:   75.52       Scanning memory_layer using PdbSignatureScanner

Progress:   76.04       Scanning memory_layer using PdbSignatureScanner

Progress:   76.56       Scanning memory_layer using PdbSignatureScanner

Progress:   77.08       Scanning memory_layer using PdbSignatureScanner

Progress:   77.60       Scanning memory_layer using PdbSignatureScanner

Progress:   78.13       Scanning memory_layer using PdbSignatureScanner

Progress:   78.65       Scanning memory_layer using PdbSignatureScanner

Progress:   79.17       Scanning memory_layer using PdbSignatureScanner

Progress:   79.69       Scanning memory_layer using PdbSignatureScanner

Progress:   80.21       Scanning memory_layer using PdbSignatureScanner

Progress:   80.73       Scanning memory_layer using PdbSignatureScanner

Progress:   81.25       Scanning memory_layer using PdbSignatureScanner

Progress:   81.77       Scanning memory_layer using PdbSignatureScanner

Progress:   82.29       Scanning memory_layer using PdbSignatureScanner

Progress:   82.81       Scanning memory_layer using PdbSignatureScanner

Progress:   83.33       Scanning memory_layer using PdbSignatureScanner

Progress:   83.85       Scanning memory_layer using PdbSignatureScanner

Progress:   84.38       Scanning memory_layer using PdbSignatureScanner

Progress:   84.90       Scanning memory_layer using PdbSignatureScanner

Progress:   85.42       Scanning memory_layer using PdbSignatureScanner

Progress:   85.94       Scanning memory_layer using PdbSignatureScanner

Progress:   86.46       Scanning memory_layer using PdbSignatureScanner

Progress:   86.98       Scanning memory_layer using PdbSignatureScanner

Progress:   87.50       Scanning memory_layer using PdbSignatureScanner

Progress:   88.02       Scanning memory_layer using PdbSignatureScanner

Progress:   88.54       Scanning memory_layer using PdbSignatureScanner

Progress:   89.06       Scanning memory_layer using PdbSignatureScanner

Progress:   89.58       Scanning memory_layer using PdbSignatureScanner

Progress:   90.10       Scanning memory_layer using PdbSignatureScanner

Progress:   90.63       Scanning memory_layer using PdbSignatureScanner

Progress:   91.15       Scanning memory_layer using PdbSignatureScanner

Progress:   91.67       Scanning memory_layer using PdbSignatureScanner

Progress:   92.19       Scanning memory_layer using PdbSignatureScanner

Progress:   92.71       Scanning memory_layer using PdbSignatureScanner

Progress:   93.23       Scanning memory_layer using PdbSignatureScanner

Progress:   93.75       Scanning memory_layer using PdbSignatureScanner

Progress:   94.27       Scanning memory_layer using PdbSignatureScanner

Progress:   94.79       Scanning memory_layer using PdbSignatureScanner

Progress:   95.31       Scanning memory_layer using PdbSignatureScanner

Progress:   95.83       Scanning memory_layer using PdbSignatureScanner

Progress:   96.35       Scanning memory_layer using PdbSignatureScanner

Progress:   96.88       Scanning memory_layer using PdbSignatureScanner

Progress:   97.40       Scanning memory_layer using PdbSignatureScanner

Progress:   97.92       Scanning memory_layer using PdbSignatureScanner

Progress:   98.44       Scanning memory_layer using PdbSignatureScanner

Progress:   98.96       Scanning memory_layer using PdbSignatureScanner

Progress:   99.48       Scanning memory_layer using PdbSignatureScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer

Progress:    0.00       Scanning primary using PdbSignatureScanner     

Progress:    0.00       Scanning primary using PdbSignatureScanner     

Progress:    0.39       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.49       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     

Progress:    0.50       Scanning primary using PdbSignatureScanner     
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
WARNING  volatility3.framework.plugins: Automagic exception occurred: TypeError: 'NoneType' object cannot be interpreted as an integer
Level 9  volatility3.framework.plugins: Traceback (most recent call last):
  File "/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic/__init__.py", line 131, in run
    automagic(context, config_path, requirement, progress_callback)
  File "/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic/pdbscan.py", line 329, in __call__
    self.set_kernel_virtual_offset(context, valid_kernel)
  File "/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic/pdbscan.py", line 130, in set_kernel_virtual_offset
    vollog.debug("Setting kernel_virtual_offset to {}".format(hex(kvo)))
TypeError: 'NoneType' object cannot be interpreted as an integer

Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']
Volatility 3 Framework 1.1.1

Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner
Wenzel commented 3 years ago

Wait, it seems like your patch wasn't applied in my last run

Wenzel commented 3 years ago

I recreated the virtualenv from scratch, here is the new output:

cargo rustc --lib --manifest-path Cargo.toml --features mflow pyo3/extension-module --verbose -- --crate-type cdylib
INFO     volatility3.cli: Volatility plugins path: ['/home/mtarral/Projets/libmicrovmi/python/microvmi/volatility', '/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/plugins', '/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/symbols', '/home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/symbols']
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/microvmi/volatility, /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/plugins, /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/plugins
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: yarascan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows/cachedump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: windows/callbacks
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows/hashdump
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows/vadyarascan
INFO     volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: windows/svcscan
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows/lsadump
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/automagic
Level 7  volatility3.cli: Cache directory used: /home/mtarral/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a windows category plugin
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, VMIHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker

Progress:    0.00       Scanning FileLayer using PageMapScanner
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x620000
Level 8  volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/mtarral/Projets/libmicrovmi/python/.nox/test_volatility_memflow/lib/python3.8/site-packages/volatility3/framework/layers
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']

Progress:  100.00       Stacking attempts finished             
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: WintelHelper
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure

Progress:    0.00       Scanning memory_layer using BytesScanner
Progress:   98.96       Scanning memory_layer using BytesScanner

Progress:   99.48       Scanning memory_layer using BytesScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure

Progress:    0.00       Scanning memory_layer using BytesScanner

Progress:   99.48       Scanning memory_layer using BytesScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address

Progress:    0.00       Scanning memory_layer using PdbSignatureScanner
DEBUG    volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset did not map to expected location: 0x804d7000

Progress:    0.52       Scanning memory_layer using PdbSignatureScanner

Progress:    1.04       Scanning memory_layer using PdbSignatureScanner
Progress:   98.96       Scanning memory_layer using PdbSignatureScanner

Progress:   99.48       Scanning memory_layer using PdbSignatureScanner
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer

Progress:    0.00       Scanning primary using PdbSignatureScanner     

Progress:   99.80       Scanning primary using PdbSignatureScanner     
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan

Progress:  100.00       PDB scanning finished                          
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.nt_symbols
Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']
Volatility 3 Framework 1.1.1

Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner
ikelos commented 3 years ago

Ok, that seems more acceptable. It's not working on the image, but at least it's not throwing weird and unusual errors... 5:) Thanks for testing that for me! 5:)