Volatility 3 not working.

[bartkor12]

Context I am unable to access most of the features of volatility 3, I am using windows powershell on administrator mode to use it and whenever I run windows.netstat.NetStat or pretty much any command, I get an error or an unclear output.

Volatility Version: Volatility 3 Framework 2.4.1 Operating System: Windows 10 Pro Python Version: 3.8.10 Suspected Operating System: ? Command:

python vol.py -f C:\Users\BartEk\Downloads\technical` pc` stuff\memdump.mem windows.(literally any command)

Steps to reproduce the behavior:

1. Use any command (only windows.info works for me)
2. See error

Expected behavior It to output anything other than an error or encrypted text.

Screenshots What I have in my technical pc stuff folder incase it was relevant (please don't judge the name of this folder lol)

Here is me running windows.netscan (the program just stops and I have to keyboard interrupt it to do anything else)

Here is me running windows.netstat (I receive an error)

Here is me running windows.pslist.PsList (encrypted message thing)

Additional information I don't think that this has happened to anyone else, I searched the errors on google but nothing of relevance showed up, am I doing something wrong? I am completely new to memory forensics and powershell, please advise me on what I should do about this.

[bartkor12]

please, I really need help, any answer would be appreciated.

[digitalisx]

Hello, @bartkor12 It's hard to figure out what's wrong with just the clues given at the moment. Are you willing to provide a memory dump file or a detailed log?

[ikelos]

Hi there, that looks like you're experiencing three different issues all at once, which you believe may be related. You also sound as though you need immediate support, so I'd suggest for such broad questions and more immediate help, joining the slack channel and posting your question there. This is explicitly for bugs in the program and, as a group of volunteers open source code developers, there are no expectations on how quickly a bug will be triaged or responded to.

Netscan will likely be running depending on the memory image, it can take a long time to get results. Scanning through large memory images can take a significant amount of time (in the order of many hours) and isn't suggestive of a bug.

The NoneType error looks like an actual bug, but it would be helpful if you could file this separately so we can investigate it separately from your general question.

PsList appears as though it's had difficulty analysing the memory image, since it's found values that could be correct but the pid is obviously bad data being interpreted as a process entry. The reason you're seeing "encrypted text" is because volatility has found random bytes where it expected a string, as is trying to interpret them as unicode characters (which often include unusual symbols and characters). No encryption has gone on, it means that the data volatility thought was a string is most likely not, and suggests that the analysis failed and/or the image suffered from memory smear during acquisition (where the memory changes as it's being read to the file). This doesn't happen with virtual machine memory, so it may be some other problem, but it's not always possible to perfectly analyze every memory image. This does not imply there's a bug in volatility.

So the best advice I've got would be:

• When running volatility 3 to provide information for a bug report, please run vol.py -vvv to ensure additional debugging information is available.
• Don't apply urgency to your situation, applying pressure to yourself or others won't help. If you're new to both memory forensics and powershell you shouldn't be in a situation where anything important depends upon the results, and if your results are that important, consider asking for help from the person that set you the task. Impatience might even be the reason for your first problem, but it's impossible to tell from the information you've provided.
• Please include code in backticks, rather than including screenshots. It may seem more convenient, but it's much more difficult than working with text for searching, for other people finding the problem and for copying to talk about specific lines in your question.
• Retry the netscan plugin, leave it to run for 4+ hours, when you finally cancel it, please report how long you left it to run, and if possible any exception/python output that appeared when you cancelled it.
• File a separate bug for the netstat issue you encountered.
• See if any of the other results returned by pslist looked valid, if not consider reacquiring the memory image.

I hope this helps and provides you a way forward with your problems...

[bartkor12]

Hello, @bartkor12 It's hard to figure out what's wrong with just the clues given at the moment. Are you willing to provide a memory dump file or a detailed log?

I'm worried that I might reveal sensitive information by sending the memory dump file, and the file is 30 gigabytes in size, however I can send the memory dump software that I used for this. memory dump software.zip

@ikelos Sorry for sounding urgent and impatient, I will retry the netscan plugin now and run everything with -vvv, and see if anything works, if not, I will file a seperate bug for this.

[bartkor12]

Ok so I did windows.netscan again with -vvv and it reported this DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb\E1DBB1A59191BC3AF954B63210F237F2-1 INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input Progress: 100.00 PDB scanning finished INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule

Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created DEBUG volatility3.plugins.windows.netscan: Determined OS Version: 10.0 15.19041 DEBUG volatility3.plugins.windows.netscan: Determined symbol filename: netscan-win10-19041-x64 INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input DEBUG volatility3.framework.symbols: Unresolved reference: netscan-win10-19041-x641!__unnamed_2 DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab4169e449 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab4169e449 invalid due to invalid tcp state 1632921161 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab4169e8c3 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab4169e8c3 invalid due to invalid tcp state 1919251301 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab4169ee8c of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab4169ee8c invalid due to invalid tcp state 209136 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab44bc45a6 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_LISTENER'> DEBUG volatility3.framework.symbols.windows.extensions.network: netw obj 0x7fab44bc45a6 invalid due to invalid address_family None DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab44bd87d7 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._UDP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: netw obj 0x7fab44bd87d7 invalid due to invalid address_family None DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab44cd223f of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab44cd223f invalid due to invalid tcp state 2642939840 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab44cd2deb of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab44cd2deb invalid due to invalid tcp state 257061893 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab44cd2dfb of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab44cd2dfb invalid due to invalid tcp state 4129518849 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab8169e449 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab8169e449 invalid due to invalid tcp state 1632921161 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab8169e8c3 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab8169e8c3 invalid due to invalid tcp state 1919251301 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab8169ee8c of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab8169ee8c invalid due to invalid tcp state 209136 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab84bc45a6 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_LISTENER'> DEBUG volatility3.framework.symbols.windows.extensions.network: netw obj 0x7fab84bc45a6 invalid due to invalid address_family None DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab84bd87d7 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._UDP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: netw obj 0x7fab84bd87d7 invalid due to invalid address_family None DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab84cd223f of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab84cd223f invalid due to invalid tcp state 2642939840 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab84cd2deb of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab84cd2deb invalid due to invalid tcp state 257061893 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fab84cd2dfb of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fab84cd2dfb invalid due to invalid tcp state 4129518849 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac0169e449 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fac0169e449 invalid due to invalid tcp state 1632921161 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac0169e8c3 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fac0169e8c3 invalid due to invalid tcp state 1919251301 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac0169ee8c of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fac0169ee8c invalid due to invalid tcp state 209136 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac04bc45a6 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_LISTENER'> DEBUG volatility3.framework.symbols.windows.extensions.network: netw obj 0x7fac04bc45a6 invalid due to invalid address_family None DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac04bd87d7 of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._UDP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: netw obj 0x7fac04bd87d7 invalid due to invalid address_family None DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac04cd223f of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fac04cd223f invalid due to invalid tcp state 2642939840 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac04cd2deb of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fac04cd2deb invalid due to invalid tcp state 257061893 DEBUG volatility3.plugins.windows.netscan: Found netw obj @ 0x7fac04cd2dfb of assumed type <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> DEBUG volatility3.framework.symbols.windows.extensions.network: <class 'volatility3.framework.symbols.windows.extensions.network._TCP_ENDPOINT'> 0x7fac04cd2dfb invalid due to invalid tcp state 4129518849

Here are the results for windows.netstat

DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name.memory_layer Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80112800000 DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb\E1DBB1A59191BC3AF954B63210F237F2-1 INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule

Offset Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID Owner Created DEBUG volatility3.plugins.windows.netscan: Determined OS Version: 10.0 15.19041 DEBUG volatility3.plugins.windows.netscan: Determined symbol filename: netscan-win10-19041-x64 INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input Traceback (most recent call last): File "vol.py", line 10, in volatility3.cli.main() File "C:\Users\BartEk\Downloads\technical pc stuff\volatility3\volatility3\cli__init.py", line 636, in main CommandLine().run() File "C:\Users\BartEk\Downloads\technical pc stuff\volatility3\volatility3\cli__init__.py", line 343, in run renderers[args.renderer]().render(constructed.run()) File "C:\Users\BartEk\Downloads\technical pc stuff\volatility3\volatility3\cli\text_renderer.py", line 177, in render grid.populate(visitor, outfd) File "C:\Users\BartEk\Downloads\technical pc stuff\volatility3\volatility3\framework\renderers\init__.py", line 212, in populate for (level, item) in self._generator: File "C:\Users\BartEk\Downloads\technical pc stuff\volatility3\volatility3\framework\plugins\windows\netstat.py", line 434, in _generator kernel.layer_name, "tcpip.pdb", tcpip_module.DllBase, tcpip_module.SizeOfImage) AttributeError: 'NoneType' object has no attribute 'DllBase'

Here are the results for windows.pslist

DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80112800000 DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb\E1DBB1A59191BC3AF954B63210F237F2-1 INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule

PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK

142845946689673 181990900958966 ☼EN►H��$ ☺ 0xaa865f4ea100 4087015536 - - True - - Disabled

note: I have copied and pasted all of these from the point where I saw DEBUG: first.

[ikelos]

Thanks very much, there's nothing in the debug output that looks unusual. For case 1, it finds a lot of potentially tcpip endpoints, but they're all considered invalid due to having bad data. This suggests either that it's something's changed in the layout of tcpip.sys, or that the memory image has some inconsistencies in it from acquisition.

Hopefully I've made the second issue nicer, but it will unfortunately just stop with an error message, because it can't identify the tcpip module that it needs to find.

For the third error, again, it looks as though the memory image is inconsistent and that correct values can't be found at the location volatility 3 is trying (based on the debugging information it found for that kernel). I'm not sure there's much more we can suggest to help.

Many of these problems are likely due to the way memory was acquired (which you might not be able to do anything about). If you're using dumpit or similar (which your upload suggested) this may take several minutes to read through 30Gb of memory. During that time the memory will change, meaning the bit read at the start may point to something that isn't there by the time its memory is read. You could try taking another memory image, but I doubt it will fare much better.

The first and third points don't look like bugs, however, just a difficult memory image to work with. As such I'm liable to close this issue off once you confirm that the second problem (AttributeError: 'NoneType' object has no attribute 'DllBase') has gone away in the latest commit...

[bartkor12]

I'm afraid that there must just be something wrong with my memory dump software, and since no one else has reported this 'bug' where volatility doesn't work before, I will just close this post and get a new way of aquiring a mem dump. Thank you for your help.