search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Hiberfil.sys on windows 10 and above #692

Closed billuk21 closed 10 months ago

billuk21 commented 2 years ago

Is your feature request related to a problem? Please describe. Wanted to know how can i use volatility to parse and analyze the hiberfil.sys copy (assuming the file is correctly backed up) using volatility on newer Windows machines.

Describe the solution you'd like

Describe alternatives you've considered I have already used the Hinbernation-recon tool to analyze that, i have tried to use the extracted ActiveMemory.bin file and use volatility to analyze that but i keep getting this error: Page error 0xcb8fcac50008 in layer layer_name (Page Fault at entry 0x8a0000067a30ec66 in page entry)

I was able to run the windows.info plugin and it worked.

If you can give an advice on how to debug that and if you had any experience with that - that would be great!

Additional information Add any other information or screenshots about the feature request here.

ikelos commented 2 years ago

I'm afraid I'm not all the well versed in the most recent hiberfil.sys formats. I'm not sure whether memory smear occurs in hibernation files (it shouldn't if the system was hibernated when the image was taken, but if it was running then I'm not sure there's any guarantee the hibernation file is consistent). In situations like this where some plugins work, but there seems to be an error in the paging, I'd usually attribute it to smear, but as I say I can't tell if that's the case here. I'll see whether @awalters or @iMHLv2 can shed some more light on the issue... 5:)

paulkermann commented 2 years ago

@billuk21 if you provide the said hiberfil.sys I could try to find the issue

billuk21 commented 2 years ago

I can provide it, it's pretty big (25 gb).

I will try to decompress it? What is your plan? How you would approach it?

paulkermann commented 2 years ago

@billuk21 I would probably first run something to get a raw memory from the hiberfil.sys and then would try debug volatility to see where it fails

billuk21 commented 2 years ago

Thanks for the prompt response, can you elaborate on how you would extract the raw memory? Would you do it by using a specific tool?

paulkermann commented 2 years ago

@billuk21 probably Hibr2Bin. But the way to extract raw memory is probably not the problem.

billuk21 commented 2 years ago

Yes, i did it using the Hibernation recon tool and it extracted the bin file, will send the errors that i am getting when loading it to volatility.

paulkermann commented 2 years ago

@billuk21 I think I would be a greater help with the hiberfil myself, but yes executing volatility with a great verbosity level might help

billuk21 commented 2 years ago

Hey, sorry for the delay - here is the command and the output:

command: vol.py -vvv -f G:\ActiveMemory.bin windows.registry.hivelist

Output: Volatility 3 Framework 2.0.2 INFO volatility3.cli: Volatility plugins path: ['C:\Users\bill\Desktop\volatility3\volatility3\plugins', 'C:\Users\bill\Desktop\volatility3\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['C:\Users\bill\Desktop\volatility3\volatility3\symbols', 'C:\Users\bill\Desktop\volatility3\volatility3\framework\symbols'] INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.HiveList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.HiveList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList Level 9 volatility3.framework.interfaces.configuration: TypeError - filter requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - filter requirements only accept str type: None INFO volatility3.framework.automagic: Running automagic: SymbolBannerCache INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel.layer_name.memory_layer Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.HiveList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.HiveList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.HiveList Level 9 volatility3.framework.interfaces.configuration: TypeError - filter requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - filter requirements only accept str type: None DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.HiveList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.HiveList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80029400000 DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb\769C521E4833ECF72E21F02BF33691A5-1 INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.HiveList.kernel

Offset FileFullPath File output DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_KTMNOTIFICATION_PACKET DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK DEBUG volatility3.plugins.windows.registry.hivelist: Hivelist failed traversing the list forwards at 0xde8d33c63000, traversing backwards DEBUG volatility3.plugins.windows.registry.hivelist: Hivelist failed traversing backwards at 0xde8d95094000, a different location from forwards, revert to scanning

DEBUG volatility3.cli: Traceback (most recent call last): File "C:\Users\bill\Desktop\volatility3\volatility3\cli__init.py", line 343, in run renderers[args.renderer]().render(constructed.run()) File "C:\Users\bill\Desktop\volatility3\volatility3\cli\text_renderer.py", line 177, in render grid.populate(visitor, outfd) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\renderers__init.py", line 212, in populate for (level, item) in self._generator: File "C:\Users\bill\Desktop\volatility3\volatility3\framework\plugins\windows\registry\hivelist.py", line 68, in _generator for hive_object in self.list_hive_objects(context = self.context, File "C:\Users\bill\Desktop\volatility3\volatility3\framework\plugins\windows\registry\hivelist.py", line 217, in list_hive_objects for hive in hivescan.HiveScan.scan_hives(context, layer_name, symbol_table): File "C:\Users\bill\Desktop\volatility3\volatility3\framework\plugins\windows\registry\hivescan.py", line 54, in scan_hives for pool in bigpools.BigPools.list_big_pools(context, File "C:\Users\bill\Desktop\volatility3\volatility3\framework\plugins\windows\bigpools.py", line 99, in list_big_pools if big_pool.is_valid(): File "C:\Users\bill\Desktop\volatility3\volatility3\framework\symbols\windows\extensions\pool.py", line 235, in is_valid return self.Key > 0 File "C:\Users\bill\Desktop\volatility3\volatility3\framework\objects\init.py", line 764, in getattr__ member = template(context = self._context, object_info = object_info) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\objects\templates.py", line 72, in call return self.vol.object_class(context = context, object_info = object_info, **arguments) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\objects__init.py", line 122, in new__ value = cls._unmarshall(context, data_format, object_info) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\objects\init__.py", line 147, in _unmarshall data = context.layers.read(object_info.layer_name, object_info.offset, dataformat.length) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\interfaces\layers.py", line 553, in read return self[layer].read(offset, length, pad) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\layers\linear.py", line 37, in read for (offset, , mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad): File "C:\Users\bill\Desktop\volatility3\volatility3\framework\layers\intel.py", line 203, in mapping for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(offset, length, ignore_errors): File "C:\Users\bill\Desktop\volatility3\volatility3\framework\layers\intel.py", line 247, in _mapping chunk_offset, page_size, layer_name = self._translate(offset) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\layers\intel.py", line 373, in _translate return self._translate_swap(self, offset, self._bits_per_register // 2) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\layers\intel.py", line 326, in _translate_swap return super()._translate(offset) File "C:\Users\bill\Desktop\volatility3\volatility3\framework\layers\intel.py", line 109, in _translate raise exceptions.PagedInvalidAddressException(self.name, offset, position + 1, entry, volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x8a0000067a30ec66 in page entry

Volatility was unable to read a requested page: Page error 0xcb8fcac50008 in layer layer_name (Page Fault at entry 0x8a0000067a30ec66 in page entry)

    * Memory smear during acquisition (try re-acquiring if possible)
    * An intentionally invalid page lookup (operating system protection)
    * A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced

billuk21 commented 2 years ago

When running the same command on a memory dump(acquired by FTK_imager and not a hiberfil.sys file) you can see that it works good.

command: vol.py -f F:\memdump_windows1064_connected_To_the_domain.mem windows.registry.hivelist

Output: Volatility 3 Framework 2.0.2 Progress: 100.00 PDB scanning finished Offset FileFullPath File output

0xac8549075000 Disabled 0xac854908c000 \REGISTRY\MACHINE\SYSTEM Disabled 0xac8549169000 \REGISTRY\MACHINE\HARDWARE Disabled 0xac8549cb8000 \SystemRoot\System32\Config\SECURITY Disabled 0xac8549cbe000 \SystemRoot\System32\Config\DEFAULT Disabled 0xac8549cbc000 \SystemRoot\System32\Config\SAM Disabled 0xac8549cba000 \SystemRoot\System32\Config\SOFTWARE Disabled 0xac854da1f000 \Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD Disabled 0xac854dd41000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Disabled 0xac854d903000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Disabled 0xac854de19000 \SystemRoot\System32\Config\BBI Disabled 0xac854f3c8000 \??\C:\Windows\ServiceProfiles\SQLTELEMETRY$VEEAMSQL2016\ntuser.dat Disabled 0xac854f4df000 \??\C:\Windows\ServiceProfiles\SQLTELEMETRY$VEEAMSQL2016\AppData\Local\Microsoft\Windows\UsrClass.dat Disabled 0xac854f8f2000 \??\C:\Windows\AppCompat\Programs\Amcache.hve Disabled 0xac8550cca000 \??\C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\dosvcState.dat Disabled 0xac8550d49000 \??\C:\Users\billweak\ntuser.dat Disabled 0xac85511d8000 \??\C:\Users\billweak\AppData\Local\Microsoft\Windows\UsrClass.dat Disabled 0xac8551b8c000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled 0xac8551cab000 \??\C:\Users\billweak\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat Disabled 0xac8551c31000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.3.19041_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled 0xac8551c84000 \??\C:\Users\billweak\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat Disabled 0xac8551f7f000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.ShellExperienceHost_10.0.19041.1320_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled 0xac8552219000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.YourPhone_1.21121.256.0_x64__8wekyb3d8bbwe\ActivationStore.dat Disabled 0xac855224e000 \??\C:\Users\billweak\AppData\Local\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\Settings\settings.dat Disabled 0xac85536c7000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\windows.immersivecontrolpanel_10.0.2.1000_neutral_neutral_cw5n1h2txyewy\ActivationStore.dat Disabled 0xac85536f3000 \??\C:\ProgramData\Microsoft\Windows\AppRepository\Packages\MicrosoftWindows.Client.CBS_120.2212.4170.0_x64__cw5n1h2txyewy\ActivationStore.dat Disabled 0xac85539d8000 \??\C:\Users\billweak\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat Disabled 0xac8553d4b000 \??\C:\Users\billweak\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat Disabled

paulkermann commented 2 years ago

@billuk21 I find it weird that walking the hive list caused a problem. Also it's kinda weird that the big pool table was "paged out" or something. I can't say much though without the dump on how to fix this.

billuk21 commented 2 years ago

Ok, will upload it - it will take sometime to be uploaded, thanks for the help.

cmueller-tp commented 2 years ago

From my experience with hiberfiles (converted with hibr2bin and with our own parser) you can't access registry artifacts. My guess here is that all file related artifacts will not be "paged" to the hiberfile (why would the system store information in a hiberfile that are available in other files in the regular fs?).

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] commented 10 months ago

This issue was closed because it has been inactive for 60 days since being marked as stale.