Closed koromodako closed 4 years ago
Hiya, thanks for doing the introductory diagnostics for us. If it isn't finding the DTB, that's a bit of an issue. Does vol 2 tell you where it is? If so, you can write it into a configuration file to force vol 3 to know where it is, but I'd like to get a little more information if possible. Could you please attach a copy of the -vvv
output so we can look through it please?
In answer to your other questions, yes, we've tested it on many different images ranging from XP through to Windows 10 (and several server versions on the way). Windows 7 is included in that, but as you pointed out, if it can't identify the DTB then this is before it even tries to do the windows part, it's still on the Intel part.
@ikelos, here is volatility2
output:
> $ volatility -f /home/user/win7sp1x64.dmp imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/user/win7sp1x64.dmp)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002840120L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002842000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-08-05 17:12:32 UTC+0000
Image local date and time : 2019-08-05 19:12:32 +0200
And here is volatility3
complete output using -vvv
:
> $ volatility3 -vvv -s /home/user/volatility3-symbols -f /home/user/win7sp1x64.dmp windows.statistics.Statistics
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/plugins', '/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/volatility3-symbols', '/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/symbols', '/home/user/bin/.venv3/lib/python3.7/site-packages/volatility/framework/symbols']
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
INFO volatility.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Unsatisfied requirement plugins.Statistics.primary: Memory layer for the kernel
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.Statistics.primary']
I hope it helps !
Actually the vol 2 imageinfo output helped more, the image you're testing is an elf file and the beta doesn't yet support loading those I'm afraid.
I'll leave this bug open and change the title when I get chance and we'll make it the tracker for adding elf file support.
An immediate work around would be to use imagecopy from vol2 to get a real raw image and then you should be fine running analysis off that until we get support written in. 5:)
Hi there, so there's a branch available for testing now called elf64-support
. It's extremely preliminary, but if you could test it and tell me if it resolves your problem then I can move towards putting it forward for review as a pull request. 5:)
I noticed the elf
layer in the debug output below but the problem remains the same:
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Unsatisfied requirement plugins.Statistics.primary: Memory layer for the kernel
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.Statistics.primary']
FYI I created the dump using the following command:
VBoxManage.exe debugvm "vm-name" dumpvmcore --filename "vm-name.mem"
The workaround worked well by the way, thanks.
Let me know if you need more information about the dump itself.
Hmmm, so it looks like it thought the Elf file wasn't valid (otherwise the line DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
should have mentioned ElfLayer
). Could you run file on the image and let me know what it says? If you have a machine you're willing to share the memory image for, that would be extremely useful for debugging and figuring out what's going on (at the moment I'm basing it off the specification)... 5:)
File gives me: ELF 64-bit LSB core file, x86-64, version 1 (SYSV)
Have you considered porting the working code part of volatility2
? This file seems interesting: elfcoredump.py
Hmmm, I'd have expected that to work. 5:S Ok, cool, thanks for the info. I'll keep tinkering and see if I can spot something obvious I've missed and/or improve the logging.
I have considered porting the volatility2 code, but since the license is different and we've been quite careful not to cross-contaminate I'd prefer to keep doing it from scratch (particularly as it seems fairly straight forward). I've just installed qemu to spin up some VMs and I'll see if I can generate some images for myself that I can then use to get the code working. I should also be able to do the same with virtualbox, it's just a matter of time... 5:)
Ok thanks, I didn't check the license ! May the force be with you !
Ok, I've fixed an issue with virtualbox files, so anyone that was experiencing issues, please update the branch and try again, and let me know if that worked... 5:)
Sorry for the length of the message...
Now Elf64Layer
is stacked (perfect 👍) and two new/different issues are raised.
I think that they might still be linked to the stack layer itself as a raw image converted
with vol2
works with vol3
(I mean nt_symbols
can be found and used automatically, etc.).
When I tried to run windows.statistics
:
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x187000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer.base_layer
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Valid pages (all) Valid pages (large) Swapped Pages (all) Swapped Pages (large) Invalid Pages (all) Invalid Pages (large)
Traceback (most recent call last):ading memory
File "/home/user/vol3", line 11, in <module>
load_entry_point('volatility', 'console_scripts', 'vol')()
File "/home/user/volatility3/volatility/cli/__init__.py", line 442, in main
CommandLine().run()
File "/home/user/volatility3/volatility/cli/__init__.py", line 269, in run
renderers[args.renderer]().render(constructed.run())
File "/home/user/volatility3/volatility/cli/text_renderer.py", line 159, in render
grid.populate(visitor, outfd)
File "/home/user/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
for (level, item) in self._generator:
File "/home/user/volatility3/volatility/plugins/windows/statistics.py", line 33, in _generator
_, _, page_size, layer_name = list(layer.mapping(page_addr, 0x2000))[0]
File "/home/user/volatility3/volatility/framework/layers/intel.py", line 198, in mapping
raise exceptions.InvalidAddressException(layer_name = layer_name, invalid_address = chunk_offset)
volatility.framework.exceptions.InvalidAddressException
And windows.pslist
plugin:
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x187000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer.base_layer
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - using KDBG structure for kernel offset
INFO volatility.framework.symbols.windows.pdbconv: Download PDB file...
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/ntkrnlmp.pd_
DEBUG volatility.framework.symbols.windows.pdbconv: Failed with HTTP Error 404: Not Found
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/ntkrnlmp.pdb
DEBUG volatility.framework.symbols.windows.pdbconv: Successfully written to /tmp/tmp10bx0m1k.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None2E0158E1/ntkrnlmp.pdb
WARNING volatility.framework.plugins: Automagic exception occured: TypeError: __new__() missing 4 required positional arguments: 'type_name', 'object_info', 'base_type', and 'choices'
Level 9 volatility.framework.plugins: Traceback (most recent call last):
File "/home/user/volatility3/volatility/framework/automagic/__init__.py", line 129, in run
automagic(context, config_path, requirement, progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 479, in __call__
self.recurse_symbol_fulfiller(context, valid_kernels, progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 209, in recurse_symbol_fulfiller
self.download_pdb_isf(kernel['GUID'], kernel['age'], kernel['pdb_name'], progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 253, in download_pdb_isf
json_output = pdbconv.PdbReader(self.context, location, progress_callback).get_json()
File "/home/user/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 263, in __init__
self._layer_name, self._context = self.load_pdb_layer(context, location)
File "/home/user/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 299, in load_pdb_layer
new_context = context.clone()
File "/home/user/volatility3/volatility/framework/interfaces/context.py", line 94, in clone
return copy.deepcopy(self)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 215, in _deepcopy_list
append(deepcopy(a, memo))
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 220, in _deepcopy_tuple
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 220, in <listcomp>
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 274, in _reconstruct
y = func(*args)
File "/usr/lib/python3.7/copy.py", line 273, in <genexpr>
args = (deepcopy(arg, memo) for arg in args)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 220, in _deepcopy_tuple
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 220, in <listcomp>
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 274, in _reconstruct
y = func(*args)
File "/usr/lib/python3.7/copyreg.py", line 88, in __newobj__
return cls.__new__(cls, *args)
TypeError: __new__() missing 4 required positional arguments: 'type_name', 'object_info', 'base_type', and 'choices'
Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']
I voluntarily skipped the Import module
debug messages as they seem irrelevant here.
Thanks, I've had someone else report on the second issue you encountered. Could you please file them both as separate issues and then we can try and get through them without losing track... 5:)
Ok this issue seems solved then, close it whenever you want. I'm filling two new separate issues. Thanks
Thanks, I'll close this off once the pull request goes through. 5:)
Ok, the Elf64 support got merged, so I'll be closing off this ticket. Do please open another ticket if you notice any bugs or problems with it... 5:)
First of all, many thanks for this release, I have been waiting for it for a long time :)
I'll try to be as precise as possible:
v1.0.0-beta.1-10-g27a291cf
Ubuntu 19.04
python3/disco,now 3.7.3-1 amd64
Windows 7 SP1 x64
which can be analyzed withvolatility2
profile calledWin7SP1x64
When I run it with
-vvv
I observe a debug message saying:I took a quick look at the code and it seems to mean that
automagic
does not match anything when scanning for DTB because I won't see a debug message saying:Have you tested
volatility3
on a Windows 7 dump ? Do you need me to perform more tests ?