ikelos
commented
2 years ago Ok, thanks for the memory images, and sorry it took so long for me to look into them.
In both cases, the potential kernel addresses that were found weren't mapped in the main memory map. As such, volatility couldn't validate that it had found the correct kernel, and that's why it couldn't load the symbols. I'm not sure why the kernel appears to be missing from both images (even though the PDB entry from the pe file appears to be present), but it's the same in both files (in one of the files we don't even find a potential MZ header in front of either of the two PDB entries we find).|
As such, it's like this is one of two problems:
- Volatility is finding the wrong DTB/map for both images, this would be why the map doesn't have the potential kernel present
- The acquisition program intentionally leaves out chunks of memory that happen to contain the kernel. I'm not sure why it would do this
- A third unknown reason around the PDB entry being too far away from the MZ header, or something else weird?
It might help if you could interrogate a running image for its DTB and location of the kernel MZ in memory, using windbg or similar, and then if it fails we could figure out if it was volatility or the acquisition tool, but otherwise there's not a great deal we can do without knowing those... 5:S
Hello everyone. There was a problem with these images, with the fact that an error occurs when determining the PDB. Discussed in Slack. I attach links to download dumps
https://cloud.pampei.ru/index.php/s/nMQrJjdZaf5aQ2H
`D:\diplom\vulnefindproject_diplom\volatility3-develop>vol.py -vvvv -f D:\tests\jigsaw\vmss.core windows.info Volatility 3 Framework 1.2.1 INFO volatility3.cli: Volatility plugins path: ['D:\diplom\vulnefindproject_diplom\volatility3-develop\volatility3\plugins', 'D:\diplom\vulnefindproject_diplom\volatility3-develop\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['D:\diplom\vulnefindproject_diplom\volatility3-develop\volatility3\symbols', 'D:\diplom\vulnefindproject_diplom\volatility3-develop\volatility3\framework\symbols'] DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: windows\cachedump DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: windows\hashdump DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: windows\lsadump INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input Level 8 volatility3.framework.automagic.stacker: Stacked Elf64Layer using Elf64Stacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker DEBUG volatility3.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer.base_layer INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: WintelHelper INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel
Unsatisfied requirement plugins.Info.kernel: Windows kernel Unable to validate the plugin requirements: ['plugins.Info.kernel']`