search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Impossible to analyze a dump file #972

Closed soukoye closed 1 year ago

soukoye commented 1 year ago

Hi, Bug: Impossible to analyze a dump file. Volatility 3 Framework 2.4.2 OS: Ubuntu 22.04.2 LTS Python: 3.10.6 Capture: dumpit.exe Suspected OS: Win10 22h2 build 19045 (no EDR or AV only bitlocker enable for hdd's encryption) Command: vol -vvv -f P9473755.raw windows.pslist.PsList

Describe the bug I can't have any result from any plugin (pstree, pslit...) Detection seems ok because kernel virtual offset and symbol library were found: _DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtualoffset to 0xf80534400000 DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/89284D0CA6ACC8274B9A44BD5AF9290B-1

Perhaps the "kernel_virtual_offset" is not the good one... and then volatility can't find any memory's structure.

Additionnal info: On the same environnement i can analyze other Windows's dump.

Thanks for your help

`$ vol -vvv -f P9473755.raw windows.pslist Volatility 3 Framework 2.4.2 INFO volatility3.cli: Volatility plugins path: ['/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/plugins', '/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/symbols', '/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/symbols'] INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/yarascan.py", line 20, in raise ImportError ImportError

DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/yarascan.py INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in from volatility3.plugins import yarascan File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/yarascan.py", line 20, in raise ImportError ImportError

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/windows/vadyarascan.py INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/windows/mftscan.py", line 13, in from volatility3.plugins import timeliner, yarascan File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/yarascan.py", line 20, in raise ImportError ImportError

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/windows/mftscan.py INFO volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/windows/svcscan.py", line 16, in from volatility3.plugins.windows import poolscanner, vadyarascan, pslist File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in from volatility3.plugins import yarascan File "/home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/yarascan.py", line 20, in raise ImportError ImportError

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/dav/tools/venv-python/volatility3/lib/python3.10/site-packages/volatility3/framework/plugins/windows/svcscan.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80534400000 DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/89284D0CA6ACC8274B9A44BD5AF9290B-1 INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule

PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK

281474976710655 281474976710655 ��������������� 0xd98ce04c2200 4294967295 - - True 1600-12-31 23:59:59.000000 1600-12-31 23:59:59.000000 Disabled`

eve-mem commented 1 year ago

Hello @soukoye. The log looks normal enough, but you're correct in that there seems to be something off with an offset here - that first process looks more like a random part of memory being parsed as a process.

I'm not as expert on the windows side of things at all. I suspect if anyone from the vol team is able to look into this they'd likely need the memory sample to test with. Is it something you're able to share?

If you are able to it might also be worth attempting to capture the memory with a different tool, perhaps there is some issue with dumpit on more modern windows that is causing this mismatch.

soukoye commented 1 year ago

Hi eve-mem, thanks for your idea. I test with another tool (FTK) and i could use volatility on this dump. Then "dumpit" was the problem, not volatility. I close thanks Eve-mem