search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.58k stars 443 forks source link

Vmware file "*.vmsn" is not supported! #815

Open Black2PIg opened 2 years ago

Black2PIg commented 2 years ago

Volitility3 does not support the resolution of ". vmsn" files (this file is a snapshot memory file of the old version of VMware, and the old version of VMware does not support ". vmem" file), but Volitility2 does support "*. vmsn" files.

=========================================================== volitility3: C:\Users\jone\Desktop\volatility3-develop\volatility3-develop>python v ol.py -vvv -f windows7-Snapshot1.vmsn windows.info Volatility 3 Framework 2.3.0 INFO volatility3.cli: Volatility plugins path: ['C:\Users\jone\Desktop\v olatility3-develop\volatility3-develop\volatility3\plugins', 'C:\Users\jone \Desktop\volatility3-develop\volatility3-develop\volatility3\framework\plu gins'] INFO volatility3.cli: Volatility symbols path: ['C:\Users\jone\Desktop\v olatility3-develop\volatility3-develop\volatility3\symbols', 'C:\Users\jone \Desktop\volatility3-develop\volatility3-develop\volatility3\framework\sym bols'] INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement : plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement : plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement : plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement : plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement : plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement : plugins.Info INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name DEBUG volatility3.framework.automagic.windows: Detecting Self-referential poi nter for recent windows DEBUG volatility3.framework.automagic.windows: Older windows fixed location s elf-referential pointers Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name INFO volatility3.framework.automagic.pdbscan: No suitable kernels found duri ng pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No confi guration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirem ent not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name: Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled. Please verify that: A file was provided to create this layer (by -f, --single-location or by config) The file exists and is readable The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', ' plugins.Info.kernel.symbol_table_name']

================================================= volitility2: C:\Users\jone\Desktop\volatility2-develop\volatility2-develop>python v ol.py -vvv -f windows7-Snapshot1.vmsn imageinfo

INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win200 8R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7S P1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : VMWareAddressSpace (Unnamed AS) AS Layer3 : FileAddressSpace (C:\Users\jone\Desktop\volatil ity-master\volatility-master\windows7-Snapshot1.vmsn) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027fa120L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800027fc000L KUSER_SHARED_DATA : 0xfffff78000000000L

ikelos commented 2 years ago

Volatility 3 does support vmem files and automatically makes use of a similarly named vmsn or vmss file in the same directory. Providing the vmsn file directly as a parameter will treat it as if it is the memory image, which will fail.

Please ensure that your vmem file (myfile.vmem) is in the same directory as the vmsn file with the same name but different extension (myfile.vmsn). You can determine whether the vmsn file was used based on the debugging output provided by running volatility with -vvv.

Please let us know whether that works so we can close this issue off.

dkec1 commented 2 years ago

I also had the same problem, which has been bugging me. Older versions of vmware do not support ".vmem" files. So when creating snapshots, only vmsn files are generated.However, vol3 does not support the memory image".vmsn". But excitingly that vol2 supports the memory image".vmsn".By comparing vol2 and vol3 to parse the memory image ".vmsn" and ".vmem", I found that ".vmsn" has 3 layers (WindowsAMD64PagedMemory, VMWareAddressSpace, FileAddressSpace), while vmem has only 2 layers (WindowsAMD64PagedMemory, FileAddressSpace). Therefore, I deduce that vol3 is not parsing the VMWareAddressSpace layer of ".vmsn" correctly. In addition, after I deliberately delete the file "\volatility3\framework\layers\vmware.py", vol3 can still process ".vmem" files correctly. Whether the file "vmware.py" do not work, or the VMwarelayer is not properly analyzed? @ikelos

ikelos commented 2 years ago

Hi there, volatility 3 is a complete rewrite, and so comparisons between volatility 2 aren't all that useful. Many of the ways things that were done in volatility 2 are not how they are done in volatility 3.

It looks as though volatility 2 got a separate parser for vmsn files in particular (https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/addrspaces/vmware.py) whereas we only handle vmsn files that are auxiliary to vmem files, as in (https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/addrspaces/vmem.py#L66).

It seems the previous mechanism, and the only I've ever encountered, split the vmem file up into segments, and the vmss/vmsn files defined where those segments live within the layer. If there is only one segment, there is no need for a Vmware Layer, since the vmem file is indistinguishable from a normal raw physical layer. This is why volatility 3 can process a vmem file without the vmware layer present.

We'll add this to the wishlist for getting the enhanced support. It would be useful if you could provide a sample of a single vmsn file that can successfully be processed by volatility 2 but fails with volatility 3, so that we have a sample to test against. Please let me know if you'd be able to supply this...

dkec1 commented 2 years ago

Thank you, how can I send the sample file to you?

ikelos commented 2 years ago

Gmail to mike.auty@gmail.com or dropbox? There are a number of other large file transfer services, any of them should be fine...

ikelos commented 2 years ago

Sorry, my bad, when I said gmail I'd meant google drive. I've gotten 3 emails, but they number 002 to 004, and I can't seem to reconstruct them properly. Sorry for the confusion!

dkec1 commented 2 years ago

The VMSN file has been shared, thank you for your attention to this issue. If there is any further solution, please let me know as soon as possible.

ikelos commented 1 year ago

Hi there, just to follow up on this. I'm sorry to have taken so long over this, but I have finally found some time to investigate it., As mentioned here, I received 3 files: windows7-snapshot.7z.002, windows7-snapshot.7z.003 and windows7-snapshot.7z.004, each approximately 20Mb in size, which when combined did not form a valid 7zip file. I would like to investigate this further, but without a valid sample it's going to be much more difficult to do. Would you be able to provide a complete vmsn sample file please? Via email if necessary, but google drive would be easier. If we already covered this and I mis-filed it then I apologize, but I've checked my collection of images and don't have a vmsn file anywhere among them...