search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.63k stars 449 forks source link

How do I download a windows symbol table without the internet? #939

Closed xorya1 closed 1 year ago

xorya1 commented 1 year ago

hi everyone, I'm pretty sure this is a total beginner question but I can't seem to find a solution, I downloaded the volatilty3 by cloning from GitHub, and tried to run the "python3 vol.py -f dump_practice.dmp [windows.info]" and I get the following error"

Volatility 3 Framework 2.4.2
Progress:  100.00               Downloading http://msdl.microsoft.com/download/symbols/ntoskrnl.pdbWARNING  volatility3.framework.symbols.windows.pdbutil: Symbol file could not be downloaded from remote server                                                                                                    
Progress:  100.00               PDB scanning finished                                                                                             
Unsatisfied requirement [plugins.Info](http://plugins.info/).kernel.symbol_table_name: 
A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['[plugins.Info](http://plugins.info/).kernel.symbol_table_name']

no clue how to fix it, I also ran this command : python3 vol.py -v -f dump_practice.dmp windows.info

and this is the result i got if that helps in any way 

Volatility 3 Framework 2.4.2
INFO     volatility3.cli: Volatility plugins path: ['/home/user/.local/lib/python3.11/site-packages/volatility3/volatility3/plugins', '/home/user/.local/lib/python3.11/site-packages/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/user/.local/lib/python3.11/site-packages/volatility3/volatility3/symbols', '/home/user/.local/lib/python3.11/site-packages/volatility3/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
INFO     volatility3.framework.symbols.windows.pdbconv: Download PDB file...r
WARNING  volatility3.framework.symbols.windows.pdbutil: Symbol file could not be downloaded from remote server                                                                                                    
INFO     volatility3.framework.symbols.windows.pdbutil: The symbols can be downloaded later using pdbconv.py -p ntoskrnl.pdb -g 9F2528E50F6E473796E007462C77D4E82
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder                                                                         
INFO     volatility3.framework.automagic: Running automagic: KernelModule

Unsatisfied requirement plugins.Info.kernel.symbol_table_name: 

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']

also, is windows.info the equivalent for imageinfo plugin? and thank you.

ikelos commented 1 year ago

Hi there,

Volatility doesn't come with every symbol table necessary for every OS because there are too many and because new ones are coming out all the time. Luckily, Microsoft provides files for Windows that can be used to generate symbols, volatility found one of those and tried to go out to the internet to get it and process it, but couldn't.

If you can't provide volatility and internet connection, then you can download the pdb file from the URL mentioned in the first output and then processing it with the pdbconv.py tool using -f or on a machine with the internet you can run pdbconv with the parameters mentioned in the second output (following the instructions at: https://volatility3.readthedocs.io/en/latest/symbol-tables.html#windows-symbol-tables ). Either of those methods should generated a JSON file, that can then be put into your symbols directory (typically volatility3/symbols, although this can be specified for vol.py by using -s).

Hopefully that answers your question and gets you up and running. I'll mark this as a question and probably close it at some point in the future. If you have more questions feel free to put them on here, or if this has been closed you could try our slack server at https://www.volatilityfoundation.org/slack.