Hibernation/swap issues with pagefile.sys

[Ruslan0Dev]

Hello!

I ran into this error and don't know how to fix it.

OS: Windows 10 Version 10.0.19044.3086 Python 3.11.3

Log:

C:\volatility3>python vol.py -vvvvvvv -f "E:\pagefile2.sys" windows.info
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['C:\\volatility3\\volatility3\\plugins', 'C:\\volatility3\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['C:\\volatility3\\volatility3\\symbols', 'C:\\volatility3\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\plugins, C:\volatility3\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\PC\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a windows category plugin
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\volatility3\volatility3\symbols, C:\volatility3\volatility3\framework\symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef32bit test succeeded at 0x620000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x620000
Level 8  volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']

C:\volatility3>

Messages like this are removed from the log. A lot of them.

Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///C:/volatility3/volatility3/symbols/ntkrpamp.pdb/018DAAAD05DA45EA88BFC09CC09562DB-1.json.xz as b'ntkrpamp.pdb|018DAAAD05DA45EA88BFC09CC09562DB|1'

symbols dir: (https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip)

C:\volatility3\volatility3\symbols>ls -p -1
__init__.py
ntkrnlmp.pdb/
ntkrnlpa.pdb/
ntkrpamp.pdb/
ntoskrnl.pdb/

Thanks!

[eve-mem]

Hi, looking at the command line it looks like you're trying to read just the page file on its own. Is that right?

I don't think that will work, i suspect many of the very important structures needed will be in main memory rather than the page file. That would normally be used when the computer is running low on main memory so it'll move the less used parts of memory into the pagefile.

If you have a hibernation file or other memory dump you can add a page file too for those less used parts, but you'll almost always need the main memory. You may still find useful things in that page file, a tool like page brute might help.

[Ruslan0Dev]

@eve-mem ok, i can get hiberfil.sys and memory.dump Need to try something like this?:

C:\volatility3>python vol.py -f "E:\pagefile2.sys" -f "E:\hiberfil2.sys" -f "E:\memory.dump" windows.info

for reconstruct pagefile2.sys. Did I understand you correctly?

UPD1: i have: memdump.mem pagefile.sys hiberfil.sys swapfile.sys (copied\dumped via FTK Imager)

[eve-mem]

I would start by just using the memdump, and then assuming that works you can add the page file later as needed. You'll know you need it if you get a page fault error when running a command.

The hibernation file can also be used on its own assuming it contains data, however that will be from the last time the device hibernated so the page file would not help in this situation.

[eve-mem]

To use a page file along with a memory dump you can pass them to vol with the --single-swap-locations parameter on the command line. If there is more than one they need to be provided in the same order as the original running OS expected them.

[Ruslan0Dev]

@eve-mem

C:\volatility3>python vol.py -vvvvvvv -f "memdump.mem" -f "pagefile.sys" windows.info
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['C:\\volatility3\\volatility3\\plugins', 'C:\\volatility3\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['C:\\volatility3\\volatility3\\symbols', 'C:\\volatility3\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\plugins, C:\volatility3\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\PC\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a windows category plugin
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\volatility3\volatility3\symbols, C:\volatility3\volatility3\framework\symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef32bit test succeeded at 0x620000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x620000
Level 8  volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']

C:\volatility3>

windows.info without -f "pagefile.sys" - works

Also log from Volatility 2:

C:\volatility>python vol.py --profile=Win10x64_19041 -f "memdump.mem" -f "pagefile.sys" psscan
Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash)
*** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)
Offset(P)          Name                PID   PPID PDB                Time created                   Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x00009f831f4e71c0 System                4      0 0x00000000001ad000 2023-07-16 22:22:26 UTC+0000
0x00009f831f5de040 Registry            124      4 0x000000021720c000 2023-07-16 22:22:22 UTC+0000
and other processes...

but I don't see the process whose data I saw in pagefile.sys via hex viewer (I'm about Volatility 2 with "pagefile.sys" and Volatility 3 without "pagefile.sys")

And let's say I got an offset, how to understand - is this an offset in pagefile.sys or in memdump.mem? Will the offset just go beyond the memdump.mem file?

[eve-mem]

Try changing your command line to python vol.py -vvvvvvv -f "memdump.mem" --single-swap-locations "pagefile.sys" windows.info

If the data you've seen isn't from an active process (or one that's finished but still in linked list as it's not yet cleaned up) then the pslist plugin won't show it. You could try psscan to see if that finds it. It may be the case that what you have found in the page file with a hex editor is not part of a process structure but some other part of memory.

I would suggest using the strings plugin to work out where that string fits into your memory sample, but I don't think it will actually work with a page file and a memory dump, I think the plugin will need a new parameter to handle that. I'll see if I can work out a sensible way to add that and see what the core devs make of it.

[eve-mem]

Re your question about offsets. Likely the easiest way is using volshell.

In volshell you can use the translate function on a layer and it will show you the address in the lower layers. So if you take a virtual offset and translate it down it will then show you the physical offset into the actual files - which will also show you which file it was being read from.

Is your goal to work out what process etc is using/caused this interesting bit of information you've seen in the pagefile with a hex editor?

[Ruslan0Dev]

@eve-mem As it turned out, this is not the process of the process but the MFT recording. Accordingly, I made MFT Scan. But offsets there are not valid. I tried everything that I can (in Volshell), found a lot of things but not what I need - to convert offset that gives me Volatility3 to offset file. Switching layer on swap_layers0 does not help. The Read function in the swap_layers0 layer - reports that Offset goes beyond. Help) On the Internet there are no examples of code or I have not found.

I used this import:

from volatility3.plugins.windows import mftscan

All my attempts are omitted so as not to mislead.

PS: All this time I tried on my own to find a solution so as not to waste your time, but the search was unsuccessful, the time spent was beyond reasonable limits :(

[ikelos]

Hi there, so the swap support should work, but is very likely under-tested. Windows stores swap in multiple different locations, and can have up to 15 different swap locations. Those files must therefore be provided in order to the --single-swap-locations parameter (which I believe accepts a list). Assuming there is only 1 file, then the page lookup will fail indicating it is stored in swap, and indicate which of the 15 swap "slots" is to be used, and the offset within that file. If you're just trying to directly address the virtual offset you want, that will fail. Volshell should still be able to stick everything together appropriately and I'd expect the mapping function to return the correct layer and the offset within that layer? You can see the code used to convert the page table entry into an offset within the file here.

I hope that provides a little more information that may help, I'd updated the title to be a little more descriptive...

[eve-mem]

Just a thought: If it's a mft record that is in memory that you're looking at, the offsets in the mft record would be referring to the hard drive rather than memory?

[Ruslan0Dev]

@ikelos @eve-mem

My question is still relevant. Just in case, I will describe the essence again.

If I open pagefile.sys in the HEX editor, then by searching through the text I can find the content of the file I need. I know the names of the files that should contain the lines I'm looking for.

In the process of testing - it turned out that the list of files I need, I see when using mftscan.

Next, I want to extract the files found through mftscan.

It is my goal.

I have memdump.mem ; pagefile.sys hiberfil.sys ; swapfile.sys

I also installed volatility3 and volatility2 from source. Downloaded windows pdb files from volatility site.

My launch options:

python vol.py -f "memdump.mem" -o "dump" --single-swap-locations="pagefile.sys" --single-swap-locations="swapfile.sys" --single-swap-locations="hiberfil.sys" windows.mftscan | grep .my-extension

(I also tried with volshell.py but got the same information as with vol.py)

Above page on code where offset conversion is good, but i don't know how to use it, show an example or any other solution that will solve my problem - extract specific files found via mftscan

Thank you!

Best regards, Ruslan

[ikelos]

So the offset returned is a virtual offset in the primary layer (that was scanned). You should be able to run volshell with the same options: python volshell.py -f "memdump.mem" --single-swap-locations="pagefile.sys" --single-swap-locations="swapfile.sys" --single-swap-locations="hiberfil.sys" -w. Take any offsets from the mftscan tool, and then ask the primary layer context.layers[self.current_layer].read(<OFFSET>, <SIZE>). This should help you see if the data is the data you expect.

If you're after extract files using mftscan, then you should file an enhancement but request to add support for that to the mdtscan, it's pretty separate from anything to do with swap files. If volatility is giving you information back from a layer, then underneath the layer doesn't matter as much...

[Ruslan0Dev]

@ikelos

Yes, it works, but I am getting the content as metadata in the memory_layer. Came to a conclusion that in pagefile looks for nothing.

https://github.com/volatilityfoundation/volatility3/blob/581c493f4fdb685053b408029dd56f18a3acda78/doc/source/vol-cli.rst?plain=1#L135-L137

Attempt 1

cls&python volshell.py -f "F:\_MEM_REC_PJ\D\memdump.mem" --single-swap-locations="F:\_MEM_REC_PJ\D\pagefile.sys" --single-swap-locations="F:\_MEM_REC_PJ\D\swapfile.sys" --single-swap-locations="F:\_MEM_REC_PJ\D\hiberfil.sys" -w

(layer_name) >>> for k,v in context.layers.items(): print(k, v)
...
memory_layer <volatility3.framework.layers.physical.FileLayer object at 0x000001A21A276650>
layer_name <volatility3.framework.layers.intel.WindowsIntel32e object at 0x000001A21A27C490>
swap_layers0 <volatility3.framework.layers.physical.FileLayer object at 0x000001A21A27C590>

(layer_name) >>> context.layers['swap_layers0'].location
'file:///F:/_MEM_REC_PJ/D/hiberfil.sys'

Attempt 2

cls&python volshell.py -f "F:\_MEM_REC_PJ\D\memdump.mem" --single-swap-locations="F:\_MEM_REC_PJ\D\pagefile.sys","F:\_MEM_REC_PJ\D\swapfile.sys","F:\_MEM_REC_PJ\D\hiberfil.sys" -w

(layer_name) >>> for k,v in context.layers.items(): print(k, v)
...
memory_layer <volatility3.framework.layers.physical.FileLayer object at 0x000001BAB85A6190>
layer_name <volatility3.framework.layers.intel.WindowsIntel32e object at 0x000001BAB8590210>

Attempt 3

cls&python volshell.py -f F:\_MEM_REC_PJ\D\memdump.mem --single-swap-locations=F:\_MEM_REC_PJ\D\pagefile.sys,F:\_MEM_REC_PJ\D\swapfile.sys,F:\_MEM_REC_PJ\D\hiberfil.sys -w

(layer_name) >>> for k,v in context.layers.items(): print(k, v)
...
memory_layer <volatility3.framework.layers.physical.FileLayer object at 0x000001C7E0C4FD10>
layer_name <volatility3.framework.layers.intel.WindowsIntel32e object at 0x000001C7E087A410>

Attempt 4

F:\_MEM_REC_PJ\D>cls&python volatility3\volshell.py -f memdump.mem --single-swap-locations=pagefile.sys,swapfile.sys,hiberfil.sys -w

Volshell (Volatility 3 Framework) 2.5.0
WARNING  volatility3.framework.automagic.windows: Volatility swap_location pagefile.sys,swapfile.sys,hiberfil.sys could not be validated - swap layer disabled
WARNING  volatility3.framework.automagic.windows: Volatility swap_location pagefile.sys,swapfile.sys,hiberfil.sys could not be validated - swap layer disabled
Progress:  100.00               PDB scanning finished
    Call help() to see available functions

    Volshell mode        : Windows
    Current Layer        : layer_name
    Current Symbol Table : symbol_table_name1
    Current Kernel Name  : kernel

(layer_name) >>> for k,v in context.layers.items(): print(k, v)
...
memory_layer <volatility3.framework.layers.physical.FileLayer object at 0x0000022D21BAFB50>
layer_name <volatility3.framework.layers.intel.WindowsIntel32e object at 0x0000022D21BD8410>

Attempt 5

F:\_MEM_REC_PJ\D>cls&python volatility3\volshell.py -f memdump.mem --single-swap-locations=pagefile.sys -w

Volshell (Volatility 3 Framework) 2.5.0
Progress:  100.00               PDB scanning finished
    Call help() to see available functions

    Volshell mode        : Windows
    Current Layer        : layer_name
    Current Symbol Table : symbol_table_name1
    Current Kernel Name  : kernel

Checking the layers

(layer_name) >>> for k,v in context.layers.items(): print(k, v)
...
memory_layer <volatility3.framework.layers.physical.FileLayer object at 0x000001CA6CCC5A10>
layer_name <volatility3.framework.layers.intel.WindowsIntel32e object at 0x000001CA6CAA9350>
swap_layers0 <volatility3.framework.layers.physical.FileLayer object at 0x000001CA6CEA0350>

(layer_name) >>> context.layers['swap_layers0'].location
'file:///F:/_MEM_REC_PJ/D/pagefile.sys'

preparing

(layer_name) >>> cl('swap_layers0')
(swap_layers0) >>> from volatility3.plugins.windows import mftscan
(swap_layers0) >>> import pdir

Listing available

(swap_layers0) >>> pdir()
property:
    __builtins__, context, k, self, symbols, v
class:
    pdir: Class that provides pretty dir and search API.
function:
    cc: Creates a configurable object, converting arguments to configuration
    change_kernel:
    change_layer: Changes the current default layer
    change_process: Change the current process and layer, based on a process ID
    change_symboltable: Changes the current_symbol_table
    ck:
    cl: Changes the current default layer
    cp: Change the current process and layer, based on a process ID
    create_configurable: Creates a configurable object, converting arguments to configuration
    cs: Changes the current_symbol_table
    db: Displays byte values and ASCII characters
    dd: Displays double-word values (4 bytes) and corresponding ASCII characters
    dis: Disassembles a number of instructions from the code at offset
    disassemble: Disassembles a number of instructions from the code at offset
    display_bytes: Displays byte values and ASCII characters
    display_doublewords: Displays double-word values (4 bytes) and corresponding ASCII characters
    display_plugin_output: Displays the output for a particular plugin (with keyword arguments)
    display_quadwords: Displays quad-word values (8 bytes) and corresponding ASCII characters
    display_symbols: Prints an alphabetical list of symbols for a symbol table
    display_type: Display Type describes the members of a particular object in alphabetical order
    display_words: Displays word values (2 bytes) and corresponding ASCII characters
    dpo: Displays the output for a particular plugin (with keyword arguments)
    dq: Displays quad-word values (8 bytes) and corresponding ASCII characters
    ds: Prints an alphabetical list of symbols for a symbol table
    dt: Display Type describes the members of a particular object in alphabetical order
    dw: Displays word values (2 bytes) and corresponding ASCII characters
    generate_treegrid: Generates a TreeGrid based on a specific plugin passing in kwarg configuration values
    gt: Generates a TreeGrid based on a specific plugin passing in kwarg configuration values
    help: Describes the available commands
    hh: Describes the available commands
    lf: Loads a file into a Filelayer and returns the name of the layer
    list_processes: Returns a list of EPROCESS objects from the primary layer
    load_file: Loads a file into a Filelayer and returns the name of the layer
    lp: Returns a list of EPROCESS objects from the primary layer
    ps: Returns a list of EPROCESS objects from the primary layer
    render_treegrid: Renders a treegrid as produced by generate_treegrid
    rs: Runs a python script within the context of volshell
    rt: Renders a treegrid as produced by generate_treegrid
    run_script: Runs a python script within the context of volshell
(swap_layers0) >>> pdir(context)
property:
    __slotnames__, _abc_impl, _config, _memory, _module_space, _symbol_space
special attribute:
    __class__, __dict__, __doc__, __module__, __weakref__
abstract class:
    __abstractmethods__, __subclasshook__
object customization:
    __format__, __hash__, __init__, __new__, __repr__, __sizeof__, __str__
rich comparison:
    __eq__, __ge__, __gt__, __le__, __lt__, __ne__
attribute access:
    __delattr__, __dir__, __getattribute__, __setattr__
class customization:
    __init_subclass__
pickle:
    __getstate__, __reduce__, __reduce_ex__
descriptor:
    config: @property with getter, setter, Returns a mutable copy of the configuration, but does not allow the
    layers: @property with getter, A LayerContainer object, allowing access to all data and translation
    modules: @property with getter, A container for modules loaded in this context
    symbol_space: @property with getter, The space of all symbols that can be accessed within this
function:
    add_layer: Adds a named translation layer to the context.
    add_module: Adds a named module to the context.
    clone: Produce a clone of the context (and configuration), allowing
    module: Constructs a new os-independent module.
    object: Object factory, takes a context, symbol, offset and optional

Listing context.layers['swap_layers0']

(swap_layers0) >>> pdir(context.layers['swap_layers0'])
property:
    _abc_impl, _accessor, _config_cache, _config_path, _context, _direct_metadata, _file_, _location, _lock, _maximum_address, _metadata, _name, _size, _write_warning
special attribute:
    __annotations__, __class__, __dict__, __doc__, __module__, __weakref__
abstract class:
    __abstractmethods__, __subclasshook__
context manager:
    __exit__
object customization:
    __format__, __hash__, __init__, __new__, __repr__, __sizeof__, __str__
rich comparison:
    __eq__, __ge__, __gt__, __le__, __lt__, __ne__
attribute access:
    __delattr__, __dir__, __getattribute__, __setattr__
class customization:
    __init_subclass__
pickle:
    __getstate__, __reduce__, __reduce_ex__
descriptor:
    _file: @property with getter, Property to prevent the initializer storing an unserializable open
    address_mask: @property with getter, Returns a mask which encapsulates all the active bits of an address
    config: @property with getter, The Hierarchical configuration Dictionary for this Configurable
    config_path: @property with getter, setter, The configuration path on which this configurable lives.
    context: @property with getter, The context object that this configurable belongs to/configuration
    dependencies: @property with getter, A list of other layer names required by this layer.
    get_requirements: class classmethod with getter
    location: @property with getter, Returns the location on which this Layer abstracts.
    make_subconfig: class classmethod with getter, Convenience function to allow constructing a new randomly generated
    maximum_address: @property with getter, Returns the largest available address in the space.
    metadata: @property with getter, Returns a ReadOnly copy of the metadata published by this layer.
    minimum_address: @property with getter, Returns the smallest available address in the space.
    name: @property with getter, Returns the layer name.
    unsatisfied: class classmethod with getter, Returns a list of the names of all unsatisfied requirements.
function:
    _coalesce_sections: Take a list of (start, length) sections and coalesce any adjacent
    _scan_chunk:
    _scan_iterator: Iterator that indicates which blocks in the layer are to be read by
    _scan_metric:
    build_configuration: Constructs a HierarchicalDictionary of all the options required to
    destroy: Closes the file handle.
    is_valid: Returns whether the offset is valid or not.
    read: Reads from the file at offset for length.
    scan: Scans a Translation layer by chunk.
    write: Writes to the file.

Listing context.layers['layer_name']

(swap_layers0) >>> pdir(context.layers['layer_name'])
property:
    _abc_impl, _base_layer, _bits_per_register, _canonical_prefix, _config_cache, _config_path, _context, _direct_metadata, _entry_format, _entry_number, _entry_size, _index_shift, _initial_entry, _initial_position, _maxphyaddr, _maxvirtaddr, _metadata, _name, _page_map_offset, _page_size_in_bits, _structure, _swap_layers
special attribute:
    __annotations__, __class__, __dict__, __doc__, __module__, __weakref__
abstract class:
    __abstractmethods__, __subclasshook__
object customization:
    __format__, __hash__, __init__, __new__, __repr__, __sizeof__, __str__
rich comparison:
    __eq__, __ge__, __gt__, __le__, __lt__, __ne__
attribute access:
    __delattr__, __dir__, __getattribute__, __setattr__
class customization:
    __init_subclass__
pickle:
    __getstate__, __reduce__, __reduce_ex__
descriptor:
    _get_valid_table: class _lru_cache_wrapper with getter, Extracts the table, validates it and returns it if it's valid.
    address_mask: @property with getter, Returns a mask which encapsulates all the active bits of an address
    bits_per_register: @property with getter, Class property decorator.
    config: @property with getter, The Hierarchical configuration Dictionary for this Configurable
    config_path: @property with getter, setter, The configuration path on which this configurable lives.
    context: @property with getter, The context object that this configurable belongs to/configuration
    dependencies: @property with getter, Returns a list of the lower layer names that this layer is dependent
    get_requirements: class classmethod with getter
    make_subconfig: class classmethod with getter, Convenience function to allow constructing a new randomly generated
    maximum_address: @property with getter, Class property decorator.
    metadata: @property with getter, Returns a ReadOnly copy of the metadata published by this layer.
    minimum_address: @property with getter, Class property decorator.
    name: @property with getter, Returns the layer name.
    page_size: @property with getter, Class property decorator.
    read: class _lru_cache_wrapper with getter, Reads an offset for length bytes and returns 'bytes' (not 'str') of
    structure: @property with getter, Class property decorator.
    unsatisfied: class classmethod with getter, Returns a list of the names of all unsatisfied requirements.
static method:
    _mask: Returns the bits of a value between highbit and lowbit inclusive.
    _page_is_valid: Returns whether a particular page is valid based on its entry.
function:
    _coalesce_sections: Take a list of (start, length) sections and coalesce any adjacent
    _decode_data: Decodes any necessary data.  Note, additional data may need to be read from the lower layer, such as lookup
    _encode_data: Encodes any necessary data.
    _mapping: Returns a sorted iterable of (offset, sublength, mapped_offset, mapped_length, layer)
    _scan_chunk:
    _scan_iterator: Iterator that indicates which blocks in the layer are to be read by
    _scan_metric:
    _translate: Translates a specific offset based on paging tables.
    _translate_entry: Translates a specific offset based on paging tables.
    _translate_swap:
    build_configuration: Constructs a HierarchicalDictionary of all the options required to
    canonicalize: Canonicalizes an address by performing an appropiate sign extension on the higher addresses
    decanonicalize: Removes canonicalization to ensure an adress fits within the correct range if it has been canonicalized
    destroy: Causes a DataLayer to close any open handles, etc.
    is_valid: Returns whether the address offset can be translated to a valid
    mapping: Returns a sorted iterable of (offset, sublength, mapped_offset, mapped_length, layer)
    scan: Scans a Translation layer by chunk.
    translate:
    write: Writes a value at offset, distributing the writing across any

It can be seen that layer_name has useful functions that are not in swap_layers0: mapping and translate

I'm trying to create a TreeGrid of the swap_layers0 layer

(swap_layers0) >>> grid = gt(mftscan.MFTScan, primary = self.current_layer)
Unable to validate the plugin requirements: ['plugins.Volshell.KUGQTDCHRVEL75J8WO4PZFM0AB32X6SY.MFTScan.primary']

I'm trying to create a TreeGrid of the swap_layers0 layer, being on the layer_name layer

(swap_layers0) >>> cl('layer_name')
(layer_name) >>> grid = gt(mftscan.MFTScan, swap = context.layers['swap_layers0'])
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "volatility3\volatility3\cli\volshell\generic.py", line 421, in generate_treegrid
    self.config[path_join(plugin_config_suffix, plugin.__name__, name)] = value
    ~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "volatility3\volatility3\framework\interfaces\configuration.py", line 169, in __setitem__
    self._setitem(key, value)
  File "volatility3\volatility3\framework\interfaces\configuration.py", line 177, in _setitem
    subdict._setitem(self._key_tail(key), value, is_data)
  File "volatility3\volatility3\framework\interfaces\configuration.py", line 177, in _setitem
    subdict._setitem(self._key_tail(key), value, is_data)
  File "volatility3\volatility3\framework\interfaces\configuration.py", line 181, in _setitem
    self._data[key] = self._sanitize_value(value)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "volatility3\volatility3\framework\interfaces\configuration.py", line 216, in _sanitize_value
    raise TypeError(f"Invalid type stored in configuration: {type(value)}")
TypeError: Invalid type stored in configuration: <class 'volatility3.framework.layers.physical.FileLayer'>

I create a TreeGrid layer layer_name

(layer_name) >>> grid = gt(mftscan.MFTScan, primary = self.current_layer)

Listing grid

(layer_name) >>> pdir(grid)

property:
    _T, _abc_impl, _children, _columns, _generator, _populated, _row_count, base_types, path_sep
special attribute:
    __annotations__, __class__, __dict__, __doc__, __module__, __weakref__
abstract class:
    __abstractmethods__, __subclasshook__
object customization:
    __format__, __hash__, __init__, __new__, __repr__, __sizeof__, __str__
rich comparison:
    __eq__, __ge__, __gt__, __le__, __lt__, __ne__
attribute access:
    __delattr__, __dir__, __getattribute__, __setattr__
class customization:
    __init_subclass__
pickle:
    __getstate__, __reduce__, __reduce_ex__
descriptor:
    columns: @property with getter, Returns the available columns and their ordering and types.
    populated: @property with getter, Indicates that population has completed and the tree may now be
    row_count: @property with getter, Returns the number of rows populated.
static method:
    path_depth: Returns the path depth of a particular node.
    sanitize_name:
class:
    RowStructure: RowStructure(offset, recordtype, recordnumber, linkcount, mfttype, permissions, attributetype, created, modified, updated, accessed, filename)
function:
    _append: Adds a new node at the top level if parent is None, or under the
    _find_children: Returns the children list associated with a particular node.
    _insert: Inserts an element into the tree at a specific position.
    _visit: Visits all the nodes in a tree, calling function on each one.
    children: Returns the subnodes of a particular node in order.
    is_ancestor: Returns true if descendent is a child, grandchild, etc of node.
    max_depth: Returns the maximum depth of the tree.
    populate: Populates the tree by consuming the TreeGrid's construction
    values: Returns the values for a particular node.
    visit: Visits all the nodes in a tree, calling function on each one.

Preparing visitor for TreeGrid

(layer_name) >>> def visitor(node, _accumulator):
...     try:
...         if 'my-extension' in node.values[11].lower():
...             pass
...         else:
...             return None
...     except:
...         return None
...     print("*" * max(0, node.path_depth - 1), end = " ")
...     for column_index in range(len(grid.columns)):
...         if column_index in (7, 8, 9, 10):
...             continue
...         column = grid.columns[column_index]
...         print(repr(node.values[column_index]), end = '\t')
...     print('')
...     return None
...

Scan

(layer_name) >>> cl('swap_layers0')

(swap_layers0) >>> grid.populate(visitor, None)

* 202891552046368       'FILE'  705743  2       'Removed'       'Archive'       'FILE_NAME'     'example1.my-extenson'
...skip...
* 202892984777904       'FILE'  3040831 1       'File'  'Archive'       'FILE_NAME'     'example2.my-extenson'
.....skip.....

Ok, if i read 0x969F4515 (offset from HexEditor)

context.layers['swap_layers0'].read(0x969F4515, 200)

I will see the same as in HexEditor.

translate

(swap_layers0) >>> context.layers['swap_layers0'].translate
Traceback (most recent call last):
  File "<console>", line 1, in <module>
AttributeError: 'FileLayer' object has no attribute 'translate'

(swap_layers0) >>> context.layers['layer_name'].translate
<bound method LinearlyMappedLayer.translate of <volatility3.framework.layers.intel.WindowsIntel32e object at 0x000001CA6CAA9350>>

(swap_layers0) >>> context.layers['layer_name'].translate(202892984777904, 200)
(7104507056, 'memory_layer')

Here you can see that swap_layers0 is never used

(swap_layers0) >>> list(context.layers['layer_name'].mapping(202892984777904,20000))
[(202892984777904, 848, 7104507056, 848, 'memory_layer'), (202892984778752, 4096, 16200904704, 4096, 'memory_layer'), (202892984782848, 4096, 9313861632, 4096, 'memory_layer'), (202892984786944, 4096, 7557500928, 4096, 'memory_layer'), (202892984791040, 4096, 6981795840, 4096, 'memory_layer'), (202892984795136, 2768, 16909717504, 2768, 'memory_layer')]

Another attempt

(swap_layers0) >>> gt(mftscan.MFTScan)
Unable to validate the plugin requirements: ['plugins.Volshell.65Y2M9LAH8RXJD4CVQNEZ73WTGBIFPSK.MFTScan.primary']

The output is: I'm limited to memory_layer and the content is in pagefile.sys

[Ruslan0Dev]

The problem is still relevant and not resolved

[github-actions[bot]]

This issue is stale because it has been open for 200 days with no activity.