VolMemLyzer (Volatility Memory Analyzer) is a feature extraction module which use Volatility plugins to extract memory features to generate a CSV file for each memory snapshot.
License: GNU General Public License v3.0
Thanks for preparing this python code for Feature extraction, however i am not able to get the output, my Commands are produced here:
─(inderjeet㉿kali)-[~/volatility3]
└─$ python VolatilityFeatureExtractor.py -o output2.csv </home/inderjeet/cridex.raw>
zsh: parse error near `\n'
Alos please tell how to use this python code for linux profile, it will be a greta help in my Mtech Reasearch project
Does this code work for windows 10 64 bits?
Hi,
I'm starting to use volatility and I'm facing some problem with windows.ldrmodules. I performed a fresh installation of Windows 10 on Virtual Box and got the memory dump from it with DumpIt and Magnet RAM Capture.
So, I installed volatility3 on a WSL Ubuntu 24.04 to analyze it. But when I execute the following command, I get an error.
python3 volatility3/vol.py -f dump4.raw -vvv windows.ldrmodules
INFO volatility3.cli: Volatility plugins path: ['/home/volatility3/volatility3/plugins', '/home/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/volatility3/volatility3/symbols', '/home/volatility3/volatility3/framework/symbols']
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1aa000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1aa000
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 4831838207
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80346600000
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/D9424FC4861E47C10FAD1B35DEC6DCC8-1
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_AWEINFO
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_MI_ZERO_THREAD_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_MI_SLAB_ALLOCATOR_ENTRY
Volatility 3 Framework 2.7.1
Pid Process Base InLoad InInit InMem MappedPath
4 System 0x77740000 False False False \Windows\SysWOW64\ntdll.dll
4 System 0x7fffd4390000 False False False \Windows\System32\vertdll.dll
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_LDRP_LOAD_CONTEXT
4 System 0x7fffd43d0000 False False False \Windows\System32\ntdll.dll
328 smss.exe 0x7fffd43d0000 True True True \Windows\System32\ntdll.dll
328 smss.exe 0x7ff744750000 True False True \Windows\System32\smss.exe
428 csrss.exe 0x254f9180000 False False False \Windows\System32\pt-BR\winsrv.dll.mui
428 csrss.exe 0x254f9170000 False False False \Windows\System32\pt-BR\csrss.exe.mui
428 csrss.exe 0x7ff6c24d0000 True False True \Windows\System32\csrss.exe
428 csrss.exe 0x7fffd1f50000 True True True \Windows\System32\KernelBase.dll
428 csrss.exe 0x7fffd1a90000 True True True \Windows\System32\csrsrv.dll
428 csrss.exe 0x7fffd1a50000 True True True \Windows\System32\winsrv.dll
428 csrss.exe 0x7fffd1a10000 True True True \Windows\System32\sxssrv.dll
428 csrss.exe 0x7fffd17e0000 True True True \Windows\System32\sxs.dll
428 csrss.exe 0x7fffd1a20000 True True True \Windows\System32\winsrvext.dll
428 csrss.exe 0x7fffd1a70000 True True True \Windows\System32\basesrv.dll
428 csrss.exe 0x7fffd1e00000 True True True \Windows\System32\ucrtbase.dll
428 csrss.exe 0x7fffd1b60000 True True True \Windows\System32\msvcp_win.dll
428 csrss.exe 0x7fffd1f00000 True True True \Windows\System32\cfgmgr32.dll
428 csrss.exe 0x7fffd3500000 True True True \Windows\System32\kernel32.dll
428 csrss.exe 0x7fffd27e0000 True True True \Windows\System32\gdi32.dll
428 csrss.exe 0x7fffd2280000 True True True \Windows\System32\gdi32full.dll
...
6896 SgrmBroker.exe 0x7fffd1b60000 False False False \Windows\System32\msvcp_win.dll
6896 SgrmBroker.exe 0x7fffd1910000 False False False \Windows\System32\sspicli.dll
6896 SgrmBroker.exe 0x7fffd18f0000 False False False \Windows\System32\umpdc.dll
6896 SgrmBroker.exe 0x7fffd1990000 False False False \Windows\System32\powrprof.dll
6896 SgrmBroker.exe 0x7fffd1e00000 False False False \Windows\System32\ucrtbase.dll
6896 SgrmBroker.exe 0x7fffd1c70000 False False False \Windows\System32\bcrypt.dll
6896 SgrmBroker.exe 0x7fffd3500000 False False False \Windows\System32\kernel32.dll
6896 SgrmBroker.exe 0x7fffd2ae0000 False False False \Windows\System32\msvcrt.dll
6896 SgrmBroker.exe 0x7fffd26b0000 False False False \Windows\System32\imagehlp.dll
6896 SgrmBroker.exe 0x7fffd23a0000 False False False \Windows\System32\bcryptprimitives.dll
6896 SgrmBroker.exe 0x7fffd2b90000 False False False \Windows\System32\rpcrt4.dll
6896 SgrmBroker.exe 0x7fffd43d0000 False False False \Windows\System32\ntdll.dll
6896 SgrmBroker.exe 0x7fffd3e00000 False False False \Windows\System32\sechost.dll
DEBUG volatility3.cli: Traceback (most recent call last):
File "/home/volatility3/volatility3/cli/init.py", line 469, in run
renderer.render(grid)
File "/home/volatility3/volatility3/cli/text_renderer.py", line 198, in render
grid.populate(visitor, outfd)
File "/home/volatility3/volatility3/framework/renderers/init.py", line 245, in populate
for level, item in self._generator:
File "/home/volatility3/volatility3/framework/plugins/windows/ldrmodules.py", line 72, in _generator
if dos_header.e_magic != 0x5A4D:
^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/objects/init.py", line 963, in getattr
member = template(context=self._context, object_info=object_info)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/objects/templates.py", line 96, in call
return self.vol.object_class(
^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/objects/init.py", line 168, in new
value = cls._unmarshall(context, data_format, object_info)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/objects/init.py", line 202, in _unmarshall
data = context.layers.read(
^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read
return self[layer].read(offset, length, pad)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/layers/linear.py", line 45, in read
for offset, _, mapped_offset, mapped_length, layer in self.mapping(
File "/home/volatility3/volatility3/framework/layers/intel.py", line 295, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(
File "/home/volatility3/volatility3/framework/layers/intel.py", line 351, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/layers/intel.py", line 503, in _translate
return self._translate_swap(self, offset, self._bits_per_register // 2)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/layers/intel.py", line 450, in _translate_swap
return super()._translate(offset)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/layers/intel.py", line 155, in _translate
entry, position = self._translate_entry(offset)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/layers/intel.py", line 221, in _translate_entry
table = self._get_valid_table(base_address)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/layers/intel.py", line 256, in _get_valid_table
table = self._context.layers.read(
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read
return self[layer].read(offset, length, pad)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/volatility3/volatility3/framework/layers/physical.py", line 161, in read
raise exceptions.InvalidAddressException(
volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries
Volatility was unable to read a requested page:
0x1f05001a0000 in layer memory_layer (Offset outside of the buffer boundaries)
* The base memory file being incomplete (try re-acquiring if possible)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility3 (re-run with -vvv and file a bug)
Some plugins(such as virtmap and symlinkscan) of my vol3-2.5.0 can't work. Can you provide your environment version information?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.