search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

UserAssist Error on Windows 10 #590

Closed JamesFirth2020 closed 2 years ago

JamesFirth2020 commented 2 years ago

The UserAssist command is failing on my windows, I am using python3.9 as python3.10 was causing me pain with other errors and using volatility3-1.0.1.

Re-ran it with -vvv as specified

C:\volatility3-master>py vol.py -vvv -f E:\memdump.mem windows.registry.userassist.UserAssist > Userassist.txt INFO root : Volatility plugins path: ['C:\volatility3-master\volatility\plugins', 'C:\volatility3-master\volatility\framework\plugins'] INFO root : Volatility symbols path: ['C:\volatility3-master\volatility\symbols', 'C:\volatility3-master\volatility\framework\symbols'] INFO volatility.framework.automagic: Detected a windows category plugin INFO volatility.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.UserAssist.primary Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.UserAssist Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.UserAssist.nt_symbols Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.UserAssist Level 9 volatility.framework.interfaces.configuration: TypeError - offset requirements only accept int type: None Level 9 volatility.framework.interfaces.configuration: TypeError - offset requirements only accept int type: None INFO volatility.framework.automagic: Running automagic: LayerStacker Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic DEBUG volatility.framework.automagic.windows: DTB was found at: 0x1aa000 Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.UserAssist.primary.memory_layer Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.UserAssist.nt_symbols Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.UserAssist Level 9 volatility.framework.interfaces.configuration: TypeError - offset requirements only accept int type: None Level 9 volatility.framework.interfaces.configuration: TypeError - offset requirements only accept int type: None DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility.framework.automagic: Running automagic: WinSwapLayers INFO volatility.framework.automagic: Running automagic: WintelHelper INFO volatility.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.UserAssist.nt_symbols DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility.framework.symbols.windows.pdb: Using symbol library: ntkrnlmp.pdb\47114209A62F3B9930F6B8998DFD4A99-1 DEBUG volatility.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf8051d800000 DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_ACCESS_STATE DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_CPU_RATE_CONTROL DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NET_RATE_CONTROL DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NOTIFICATION_INFORMATION DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_PSP_STORAGE DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_KTMNOTIFICATION_PACKET DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_EXP_LICENSE_STATE DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_DBGKP_ERROR_PORT DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_CI_NGEN_PATHS DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_EX_WNF_SUBSCRIPTION DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_PO_PROCESS_ENERGY_CONTEXT DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_EPROCESS_QUOTA_BLOCK DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_PAGEFAULT_HISTORY DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_DEVICE_NODE_IOMMU_EXTENSION DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ETW_EVENT_CALLBACK_CONTEXT DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_EX_TIMER DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ETW_SOFT_RESTART_CONTEXT DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ETW_STACK_CACHE DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ACTIVATION_CONTEXT_DATA DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ASSEMBLY_STORAGE_MAP DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ETW_PERFECT_HASH_FUNCTION DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_HAL_PMC_COUNTERS DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_SCSI_REQUEST_BLOCK DEBUG volatility.framework.symbols.windows.extensions.registry: Unexpected node type encountered when traversing subkeys: nt_symbols1!_CM_KEY_INDEX, signature: n DEBUG volatility.plugins.windows.registry.userassist: Key 'software\microsoft\windows\currentversion\explorer\userassist' not found in Hive at offset 0xce8a113fa000. DEBUG volatility.framework.symbols.windows.extensions.registry: Unexpected node type encountered when traversing subkeys: nt_symbols1!_CM_KEY_INDEX, signature: n DEBUG volatility.plugins.windows.registry.userassist: Key 'software\microsoft\windows\currentversion\explorer\userassist' not found in Hive at offset 0xce8a11518000. DEBUG root : Traceback (most recent call last): File "C:\volatility3-master\volatility\cli__init.py", line 312, in run renderers[args.renderer]().render(constructed.run()) File "C:\volatility3-master\volatility\cli\text_renderer.py", line 181, in render grid.populate(visitor, outfd) File "C:\volatility3-master\volatility\framework\renderers__init.py", line 212, in populate for (level, item) in self._generator: File "C:\volatility3-master\volatility\framework\plugins\windows\registry\userassist.py", line 225, in _generator yield from self.list_userassist(hive) File "C:\volatility3-master\volatility\framework\plugins\windows\registry\userassist.py", line 133, in list_userassist userassist_node_path = hive.get_key("software\microsoft\windows\currentversion\explorer\userassist", File "C:\volatility3-master\volatility\framework\layers\registry.py", line 140, in get_key node_key = [self.get_node(self.root_cell_offset)] File "C:\volatility3-master\volatility\framework\layers\registry.py", line 114, in get_node signature = cell.cast('string', max_length = 2, encoding = 'latin-1') File "C:\volatility3-master\volatility\framework\interfaces\objects.py", line 168, in cast return object_template(context = self._context, object_info = object_info) File "C:\volatility3-master\volatility\framework\objects\templates.py", line 72, in call__ return self.vol.object_class(context = context, object_info = object_info, **arguments) File "C:\volatility3-master\volatility\framework\objects__init.py", line 267, in new__ cls._unmarshall(context, data_format = DataFormatInfo(max_length, "big", False), object_info = object_info), File "C:\volatility3-master\volatility\framework\objects\init__.py", line 142, in _unmarshall data = context.layers.read(object_info.layer_name, object_info.offset, dataformat.length) File "C:\volatility3-master\volatility\framework\interfaces\layers.py", line 542, in read return self[layer].read(offset, length, pad) File "C:\volatility3-master\volatility\framework\layers\linear.py", line 38, in read for (offset, , mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad): File "C:\volatility3-master\volatility\framework\layers\registry.py", line 231, in mapping translated_offset = self._translate(current_offset) File "C:\volatility3-master\volatility\framework\layers\registry.py", line 202, in _translate raise RegistryInvalidIndex(self.name, "Mapping request for value greater than maxaddr") volatility.framework.layers.registry.RegistryInvalidIndex: Mapping request for value greater than maxaddr

Volatility experienced a layer-related issue: hive0xce8a11c82000 Mapping request for value greater than maxaddr

    * A faulty layer implementation (re-run with -vvv and file a bug)

No further results will be produced

ikelos commented 2 years ago

Hmmm, this looks to me like an issue with the specific image that was acquired. Essentially there's something that, during reading the registry, pointed outside of where volatility believes the registry should end. This is likely down to memory smear during acquisition, but without the image to investigate I'm not sure we can figure more out I'm afraid...

JamesFirth2020 commented 2 years ago

Okay, well thanks for looking!