volatilityfoundation / volatility3 Goto Github PK
View Code? Open in Web Editor NEWVolatility 3.0 development
Home Page: http://volatilityfoundation.org/
License: Other
volatility3's People
Contributors
Stargazers
Watchers
Forkers
n4rr34n6 cephurs m00zh33 ryanmjones xabiugarte sk4la doomedraven haidragon fengjixuchui masterscott syaifulahdan tizmd mbhatt1 tklengyel lyx09 cawa0505 skelsec mbr001 inarikami bcp-infosec-repo redknifezs jagarza2012 ilch1 volatility-docker yunkai-lifars opensesamedoors carineconstantino ademarrohregger iain-walker mmg1 delbs27 fdlucifer lacraig2 stinby utilisator deonizm japhlange dsuarezv khanejo yasulib dskho hph86 paalped dl9rdz sitedata skeene1 deeso jxwenger analyticsearch orchechik asafeitani xzvb12 slyles1001 cecio ghornsey cybernoobofficial memoryforensics1 paragrughani garanews al-culshaw careymeeks f0r3ns1cat0r summercol sahaniarun danobando28 n1nesun imhlv2 mtressler rakhithjk abgehort-cyber stlturkey ragingrooster railabouni cybersecops benjaminsonpham akinswin leohearts wenzel hartl3y94 sabersauce ra2003 gcmoreira xiumulty f-block michaelmagyar uuuunotfound mardeus namishelex01 su-yiting exi1sh0w jerry-bond niklasbeierl crackercat bonafont cyberls17 chanakaseekkuge windershell fgomulka xzwl233 atlaspilotpuppyvolatility3's Issues
Vadinfo looks for a symbol not present in loaded symboltable
Hiya,
I'm not sure if this is just a one-off for this kernel, or something deeper, but the main error is Struct has no attribute: nt_symbols1!_MMVAD_FLAGS1.PrivateMemory and the kernel in use is ntkrpamp.pdb/9619274AA03341AFACF0F40A6DFACA90-1. This is from the win10-x86-1607-14393.lime image if that helps?
We might also want to get a unified/default bug message format to ensure we get all the necessary information in each bug...
Volatility Framework 3.0.0_alpha1
Level 7 root : Cache directory used: /home/mike/.cache/volatility3
INFO root : Detected a windows category plugin
INFO root : Restricting automagics to: ['ConstructionMagic', 'LayerStacker', 'WinSwapLayers', 'NlpDtbfinder', 'WintelHelper', 'KernelPDBScanner']
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.VadInfo.primary
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.VadInfo
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.VadInfo.nt_symbols
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.VadInfo
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - address requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - address requirements only accept int type: None
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 7 volatility.framework.layers: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Progress: 0.00 Scanning FileLayer1 using PageMapScannerDEBUG volatility.framework.automagic.windows: DTB was found at: 0x1a8000
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer1', 'LimeLayer1', 'FileLayer1']
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary.memory_layer
Level 9 volatility.framework.interfaces.configuration: IndexError - No configuration provided: plugins.VadInfo.primary.memory_layer.base_layer
Level 7 volatility.framework.layers: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - linux_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - linux_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.VadInfo.nt_symbols
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.VadInfo
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - address requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - address requirements only accept int type: None
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: NlpDtbfinder
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
Level 9 volatility.framework.interfaces.configuration: TypeError - SymbolRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0x8204f000
DEBUG volatility.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0x8261b000
DEBUG volatility.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0x86b1a000
DEBUG volatility.framework.automagic.pdbscan: Kernel base randomized, searching layer for base address offset
Progress: 94.21 Scanning primary2 using PdbSignatureScannerDEBUG volatility.framework.automagic.pdbscan: Using symbol library: ntkrpamp.pdb/9619274AA03341AFACF0F40A6DFACA90-1
Level 7 volatility.framework.layers: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.layers: Caching file at: /home/mike/.cache/volatility3/data_f85dd5f219d0840d156aeef1efda091743b2d03881573e2eea14fa9572772f54efad5ddb45881fde4781669e0c1337a369d599321c293116478199ab0a96d1b5
DEBUG volatility.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0x80e1b000
PID Process Offset Start VPN End VPN Tag Protection CommitCharge PrivateMemory Parent File
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_EPROCESS_QUOTA_BLOCK
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_PAGEFAULT_HISTORY
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_ACCESS_STATE
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_CPU_RATE_CONTROL
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NET_RATE_CONTROL
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NOTIFICATION_INFORMATION
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_PSP_STORAGE
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ACTIVATION_CONTEXT_DATA
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_FLS_CALLBACK_INFO
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ASSEMBLY_STORAGE_MAP
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_WNF_SCOPE_MAP
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ETW_SOFT_RESTART_CONTEXT
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ETW_STACK_CACHE
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_ETW_PERFECT_HASH_FUNCTION
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_HAL_PMC_COUNTERS
DEBUG volatility.framework.symbols: Unresolved reference: nt_symbols1!_SCSI_REQUEST_BLOCK
Traceback (most recent call last):
File "vol.py", line 6, in <module>
volatility.cli.main()
File "/home/mike/workspace/volatility3/volatility/cli/__init__.py", line 315, in main
CommandLine().run()
File "/home/mike/workspace/volatility3/volatility/cli/__init__.py", line 211, in run
text.QuickTextRenderer().render(constructed.run())
File "/home/mike/workspace/volatility3/volatility/framework/renderers/text.py", line 73, in render
grid.populate(visitor, outfd)
File "/home/mike/workspace/volatility3/volatility/framework/renderers/__init__.py", line 184, in populate
for (level, item) in self._generator:
File "/home/mike/workspace/volatility3/volatility/plugins/windows/vadinfo.py", line 88, in _generator
vad.get_private_memory(),
File "/home/mike/workspace/volatility3/volatility/framework/symbols/windows/extensions/__init__.py", line 203, in get_private_memory
return self.Core.u1.VadFlags1.PrivateMemory
File "/home/mike/workspace/volatility3/volatility/framework/objects/__init__.py", line 607, in __getattr__
raise AttributeError("Struct has no attribute: {}.{}".format(self.vol.type_name, attr))
AttributeError: Struct has no attribute: nt_symbols1!_MMVAD_FLAGS1.PrivateMemory
Bodyfile format for timeliner plugin
We discussed this earlier, just wanted to make sure we donโt forget. I think the best way was to drop an output file with the bodyfile format
How to help?
Heyo!
I saw the tweet from volatility foundation asking for volunteers? How do I pick what to work on? Or can I just pick?
I like coding and could try to port the missing modules and then do a PR? Please let me know and advise.
yarascan.Yarascan ignores the ALL parameter
Hiya,
Just a note for us that the --all parameter is currently ignored in the os-agnostic yarascan plugin. We'll need to consider how to reconcile the "process layer scanning" across different OS versions. At the moment we need to list and add process layers, but already mac has different methods for carrying out those tasks, over linux and windows. So options are:
- Don't do process memory for the generic yarascan
- Mandate an interface for operating systems and pslist plugin, which then elevates the pslist plugins
- Hardcode specific options for each of the (currently three) supported operating systems
I think oddly I'm leaning towards to the third option (because we already have the tools we need to do it), but it definitely requires discussion. I've add @npetroni in for his design opinion...
Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols
C:\volatility3-master>python vol.py -f test.raw windows.info
Volatility 3 Framework 1.0.0-beta.1
Progress: 99.99 Scanning memory_layer using PdbSignatureScanner
Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.nt_symbols']
I have downloaded the windows symbols folder, and as instructed placed it in the symbols folder (both zipped & unzipped). The image was taken using
winpmem -f raw -o test.raw
Dwarf2json does not include necessary banner information
I was trying to analyze a mac memory sample using the following command:
$ python vol.py -vvvvvv -f <path-to-macos-10-11-6-15G1217>/data.lime mac.pslist.PsList
The debug output stopped at:
Level 6 volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
At that point, the processing was pegging 4 cores and no noticeable progress was being made. I noticed that the 4 python processes related to vol were also using ~20G of memory.
I killed that command and reran it. In about 20 sec each of the 4 python processes related to vol was using > 4G of memory and growing.
Support ELF file format images
First of all, many thanks for this release, I have been waiting for it for a long time :)
I'll try to be as precise as possible:
- The version of Volatility you're using:
v1.0.0-beta.1-10-g27a291cf - The operating system used to run Volatility:
Ubuntu 19.04 - The version of Python used to run Volatility:
python3/disco,now 3.7.3-1 amd64 - The suspected operating system of the memory sample:
Windows 7 SP1 x64 which can be analyzed with volatility2 profile called Win7SP1x64
- The complete command line you used to run Volatility:
> $ volatility3 -s volatility3-symbols -f win7sp1x64.dmp windows.statistics.Statistics
Volatility 3 Framework 1.0.0-beta.1
Progress: 0.00 Scanning FileLayer using PageMapScanner
Unsatisfied requirement plugins.Statistics.primary: Memory layer for the kernel
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.Statistics.primary']
When I run it with -vvv I observe a debug message saying:
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
I took a quick look at the code and it seems to mean that automagic does not
match anything when scanning for DTB because I won't see a debug message saying:
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x......
Have you tested volatility3 on a Windows 7 dump ? Do you need me to perform more tests ?
Add a clearer message for missing memory sample
It isn't completely obvious that the issue is simply that the memory sample file is not found, maybe we could add a more descriptive message?:
$ python3 vol.py -c config.json windows.pslist.PsList
Volatility Framework 3.0.0_alpha1
WARNING volatility.framework.plugins: Automagic exception occured: ValueError: Unable to run LayerStacker, single_location parameter not provided
Unable to validate the plugin requirements: ['plugins.PsList.primary']
Expose procdump and vaddump functions
Hello would it be possible to expose vaddump and procdump and similars so they could be used in different plugins
maybe you pass an offset or pid and you get the vad/processmemory
thanks in advance
setup.py doesn't install data files
When trying to manually create a Symbol Table from a pdb using the --file option Volatility complains it can't find the file. Seems like its trying to open an empty string, so the passed-in option seems gets lost along the way.
root@t1:/shared/volatility3# python3 /shared/volatility3/volatility/framework/symbols/windows/pdbconv.py -o /tmp --file /shared/windows10/ntkrnlmp.pdb
File "/shared/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 988, in <module>
convertor = PdbReader(ctx, location, progress_callback = pg_cb)
File "/shared/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 263, in __init__
self._layer_name, self._context = self.load_pdb_layer(context, location)
File "/shared/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 309, in load_pdb_layer
msf_layer = msf.PdbMultiStreamFormat(new_context, msf_config_path, msf_layer_name)
File "/usr/local/lib/python3.7/dist-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/layers/msf.py", line 28, in __init__
self._pdb_symbol_table = intermed.IntermediateSymbolTable.create(context, self._config_path, 'windows', 'pdb')
File "/usr/local/lib/python3.7/dist-packages/volatility-1.0.0b1-py3.7.egg/volatility/framework/symbols/intermed.py", line 228, in create
raise ValueError("No symbol files found at provided filename: {}", filename)
ValueError: ('No symbol files found at provided filename: {}', 'pdb')
TypeError raised by windows.pslist on elf64 memory dump
First of all, do not hesitate to rename this issue. It's always hard to find something precise enough without being too long.
windows.pslist plugin is raising TypeError when analyzing a memory dump (elf64 format). This issue might be related to #97.
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x187000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary.memory_layer.base_layer
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.nt_symbols
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - pid requirements only accept int type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG volatility.framework.automagic.pdbscan: Kernel base determination - using KDBG structure for kernel offset
INFO volatility.framework.symbols.windows.pdbconv: Download PDB file...
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/ntkrnlmp.pd_
DEBUG volatility.framework.symbols.windows.pdbconv: Failed with HTTP Error 404: Not Found
DEBUG volatility.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/ntkrnlmp.pdb
DEBUG volatility.framework.symbols.windows.pdbconv: Successfully written to /tmp/tmp10bx0m1k.pdb/4EC39E6D760F4A26A5192B89B2E0158E1/
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None2E0158E1/ntkrnlmp.pdb
WARNING volatility.framework.plugins: Automagic exception occured: TypeError: __new__() missing 4 required positional arguments: 'type_name', 'object_info', 'base_type', and 'choices'
Level 9 volatility.framework.plugins: Traceback (most recent call last):
File "/home/user/volatility3/volatility/framework/automagic/__init__.py", line 129, in run
automagic(context, config_path, requirement, progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 479, in __call__
self.recurse_symbol_fulfiller(context, valid_kernels, progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 209, in recurse_symbol_fulfiller
self.download_pdb_isf(kernel['GUID'], kernel['age'], kernel['pdb_name'], progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/pdbscan.py", line 253, in download_pdb_isf
json_output = pdbconv.PdbReader(self.context, location, progress_callback).get_json()
File "/home/user/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 263, in __init__
self._layer_name, self._context = self.load_pdb_layer(context, location)
File "/home/user/volatility3/volatility/framework/symbols/windows/pdbconv.py", line 299, in load_pdb_layer
new_context = context.clone()
File "/home/user/volatility3/volatility/framework/interfaces/context.py", line 94, in clone
return copy.deepcopy(self)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 215, in _deepcopy_list
append(deepcopy(a, memo))
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 220, in _deepcopy_tuple
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 220, in <listcomp>
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 274, in _reconstruct
y = func(*args)
File "/usr/lib/python3.7/copy.py", line 273, in <genexpr>
args = (deepcopy(arg, memo) for arg in args)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 220, in _deepcopy_tuple
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 220, in <listcomp>
y = [deepcopy(a, memo) for a in x]
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 280, in _reconstruct
state = deepcopy(state, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 150, in deepcopy
y = copier(x, memo)
File "/usr/lib/python3.7/copy.py", line 240, in _deepcopy_dict
y[deepcopy(key, memo)] = deepcopy(value, memo)
File "/usr/lib/python3.7/copy.py", line 180, in deepcopy
y = _reconstruct(x, memo, *rv)
File "/usr/lib/python3.7/copy.py", line 274, in _reconstruct
y = func(*args)
File "/usr/lib/python3.7/copyreg.py", line 88, in __newobj__
return cls.__new__(cls, *args)
TypeError: __new__() missing 4 required positional arguments: 'type_name', 'object_info', 'base_type', and 'choices'
Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.nt_symbols']
SwapExceptions may actually be compressedmemory pages
Getting the below error when running the windows.malfind.Malfind plugin on an image with the following info:
Kernel Base 0xf8054ccbd000
DTB 0x1ad000
Symbols file:///Users/user/Downloads/volatility3/volatility/symbols/windows/ntkrnlmp.pdb/E0093F3AEF15D58168B753C9488A4043-1.json.xz
primary 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf8054d0e73c8
Major/Minor 15.18362
MachineType 34404
KeNumberProcessors 2
SystemTime 2019-11-13 16:52:07
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Mon Apr 14 21:36:50 2104
user-mbp:volatility3 user$ python3 vol.py -v -f ~/Desktop/Memory\ Images/VAE_CRT_RX.vmem windows.malfind.Malfind
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['/Users/user/Downloads/volatility3/volatility/plugins', '/Users/user/Downloads/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/Users/user/Downloads/volatility3/volatility/symbols', '/Users/user/Downloads/volatility3/volatility/framework/symbols']
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
INFO volatility.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
INFO root : The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.callbacks, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
INFO volatility.framework.automagic: Running automagic: LayerStacker
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory Hexdump Disasm
Traceback (most recent call last):
File "vol.py", line 10, in <module>
volatility.cli.main()
File "/Users/user/Downloads/volatility3/volatility/cli/__init__.py", line 442, in main
CommandLine().run()
File "/Users/user/Downloads/volatility3/volatility/cli/__init__.py", line 269, in run
renderers[args.renderer]().render(constructed.run())
File "/Users/user/Downloads/volatility3/volatility/cli/text_renderer.py", line 160, in render
grid.populate(visitor, outfd)
File "/Users/user/Downloads/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
for (level, item) in self._generator:
File "/Users/user/Downloads/volatility3/volatility/framework/plugins/windows/malfind.py", line 115, in _generator
for vad, data in self.list_injections(self.context, self.config["nt_symbols"], proc):
File "/Users/user/Downloads/volatility3/volatility/framework/plugins/windows/malfind.py", line 92, in list_injections
vadinfo.VadInfo.protect_values(context, proc_layer_name, symbol_table), vadinfo.winnt_protections)
File "/Users/user/Downloads/volatility3/volatility/framework/symbols/windows/extensions/__init__.py", line 410, in get_protection
protect = self.u.VadFlags.Protection
File "/Users/user/Downloads/volatility3/volatility/framework/objects/__init__.py", line 689, in __getattr__
raise AttributeError("{} has no attribute: {}.{}".format(agg_name, self.vol.type_name, attr))
AttributeError: StructType has no attribute: nt_symbols1!<anonymous-tag>.VadFlags
Redline Memory Image Support
Hello,
I created a memory image using redline(memoryze) and it created a .dat file for memory acquisition. I was wondering if there's any way analyze that memory dump using volatility?
Appreciate your help.
Thanks
InvalidAddressException raised by windows.statistics on elf64 memory dump
First of all, do not hesitate to rename this issue. It's always hard to find something precise enough without being too long.
windows.statistics plugin is raising InvalidAddressException when analyzing a memory dump (elf64 format). This issue might be related to #97.
INFO volatility.framework.automagic: Detected a windows category plugin
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: LayerStacker
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x187000
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer.base_layer
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
Valid pages (all) Valid pages (large) Swapped Pages (all) Swapped Pages (large) Invalid Pages (all) Invalid Pages (large)
Traceback (most recent call last):ading memory
File "/home/user/vol3", line 11, in <module>
load_entry_point('volatility', 'console_scripts', 'vol')()
File "/home/user/volatility3/volatility/cli/__init__.py", line 442, in main
CommandLine().run()
File "/home/user/volatility3/volatility/cli/__init__.py", line 269, in run
renderers[args.renderer]().render(constructed.run())
File "/home/user/volatility3/volatility/cli/text_renderer.py", line 159, in render
grid.populate(visitor, outfd)
File "/home/user/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
for (level, item) in self._generator:
File "/home/user/volatility3/volatility/plugins/windows/statistics.py", line 33, in _generator
_, _, page_size, layer_name = list(layer.mapping(page_addr, 0x2000))[0]
File "/home/user/volatility3/volatility/framework/layers/intel.py", line 198, in mapping
raise exceptions.InvalidAddressException(layer_name = layer_name, invalid_address = chunk_offset)
volatility.framework.exceptions.InvalidAddressException
Implement poolscan checks for object validity and verify all constraints are accurate
vol2'result is normal
vol3'result translate txt --> this picture
vol3'result print --> closed ploblem 2hours ago picture
trouble process is iexplore.exe and rundll32.exe
why this problem?
vad get_protection method may throw an InvalidAddressException
The get_protection method can throw InvalidAddressException as part of the array lookup , so we need to decide whether we catch the exception or require calling plugins (such as malfind) to catch it? I'm slightly nervous about taking control out of the calling plugins hands, because I don't think ignore it (treating value as 0) properly indicates what's happened. With something like malfind we may want to ignore it (and log that we ignored it), but I don't know if that will always be the case...
Mac.zip symbol pack doesn't contain all release kernels
Hey there,
so I was trying to run Volatility 3 on the Mac memory samples of the Art of Memory Forensics book. For this, I downloaded the mac.zip symbol file, but still run into the following error when running for example the mac.pslist.PsList plugin. Is there anything else that needs to be installed to fulfil the requirements?
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.darwin: Mac kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.darwin']
I didn't get any useful information from the debug output, I just saw that it was running the MultiStringScanner and then continued.
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Bad magic 0x80000002 at file offset 0x0
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Level 8 volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LintelStacker
INFO volatility.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility.framework.automagic: Running automagic: MacSymbolFinder
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
yarascan.YaraScan doesn't work
memdump and yara will be shared in private
works just fine on vol2
vol.py -f X.dmp --profile=Win7SP1x86 yarascan -y X.yar
Volatility Foundation Volatility Framework 2.6.1
Rule: X
<removed>
python3 vol.py -vvvvvvv -f memdump.dmp yarascan.YaraScan --yara-file test.yar
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['/home/X/volatility3/volatility/plugins', '/home/X/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/X/volatility3/volatility/symbols', '/home/X/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /home/X/volatility3/volatility/plugins, /home/X/volatility3/volatility/framework/plugins
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
Level 6 volatility.framework: Importing from the following paths: /home/X/volatility3/volatility/framework/automagic
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
Level 7 root : Cache directory used: /home/X/.cache/volatility3
INFO volatility.framework.automagic: No plugin category detected
INFO volatility.framework.automagic: Running automagic: SymbolBannerCache
INFO volatility.framework.automagic: Running automagic: MacBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.YaraScan.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.YaraScan
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /home/X/volatility3/volatility/framework/layers
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 8 volatility.framework.automagic.stacker: Stacked Elf64Layer using Elf64Stacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG volatility.framework.automagic.windows: DTB was found at: 0x185000
Level 8 volatility.framework.automagic.stacker: Stacked IntelLayer using WintelStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LintelStacker
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary.memory_layer
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary.memory_layer.base_layer
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: WinSwapLayers
INFO volatility.framework.automagic: Running automagic: WintelHelper
INFO volatility.framework.automagic: Running automagic: KernelPDBScanner
INFO volatility.framework.automagic: Running automagic: SymbolFinder
INFO volatility.framework.automagic: Running automagic: MacSymbolFinder
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Offset Rule
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
psscan vol2 vol3 result difference
This memory file is unicode??
not print iexplore.exe and rundll32.exe
๏ฟผ
vol2'result is normal
vol3'result translate txt --> this picture
vol3'result print --> 1hours ago picture
trouble process is iexplore.exe and rundll32.exe
why this problem?
Caching?
I feel like I'm missing something, but every time I run volatility, it takes 5mins or so just to scan for things until I get output. This is with the same image. Is there some way to optimize this that I'm missing, maybe?
Redirecting output to txt file is messed up
When redirecting the output to a txt files via ">" or ">>" the output file is not formatted properly...please see attach. Any fix for this?! As far as i see it, there is a tab missing if length is below 8 chars, but I see other errors as well...
pslist.txt
_CM_KEY_BODY.get_full_key_name() change
WIn10 14393 changed the path structure of the registry. The current method of walking the ParentKCB members ends up duplicating the hive name (i.e., "SYSTEM", "SOFTWARE", etc. show up twice). One of the entries has a KEY_HIVE_ENTRY flag set, and this one is skipped.
This mirrors the change at volatilityfoundation/volatility@c374159
Please make a 3.x release
volatility 2.6 is packaged in Debian and we will want to upgrade our users to the latest upstream release now available in volatility3.git... but for this we need you to continue to increase the version number.
So please release volatility3 as a 3.x version number and don't use volatility3 version 1.0.0. It's just confusing....
Thank you in advance, a Debian & Kali packager.
Incorrect Mac ASLR shift calculation?
The following volatility command is failing to run:
$ python vol.py -vvvvvv -f <path-to-macos-10-11-15A282a-x64>data.lime mac.pslist.PsList
The relevant debug output is:
...
DEBUG volatility.framework.automagic.mac: Mac ASLR shift value determined: 0
Level 7 volatility.framework.automagic.stacker: Exception during stacking: ('Ma
cDTBTempLayer1', 18446743523965197008, 'Page Fault at entry 0xdce7ab3470f9d408 i
n table page directory pointer')
Level 6 volatility.framework.automagic.stacker: Traceback (most recent call las
t):
File "/Users/ilya/git/github.com/volatilityfoundation/volatility3/volatility/f
ramework/automagic/stacker.py", line 133, in stack
new_layer = stacker.stack(new_context, current_layer_name, progress_callback
)
File "/Users/ilya/git/github.com/volatilityfoundation/volatility3/volatility/f
ramework/automagic/mac.py", line 110, in stack
idlepml4_str = layer.read(idlepml4_ptr, 4)
File "/Users/ilya/git/github.com/volatilityfoundation/volatility3/volatility/f
ramework/interfaces/layers.py", line 377, in read
for (offset, mapped_offset, mapped_length, layer) in self.mapping(offset, le
ngth, ignore_errors = pad):
File "/Users/ilya/git/github.com/volatilityfoundation/volatility3/volatility/f
ramework/layers/intel.py", line 205, in mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/Users/ilya/git/github.com/volatilityfoundation/volatility3/volatility/f
ramework/layers/intel.py", line 120, in _translate
entry, position = self._translate_entry(offset)
File "/Users/ilya/git/github.com/volatilityfoundation/volatility3/volatility/f
ramework/layers/intel.py", line 146, in _translate_entry
"Page Fault at entry " + hex(entry) + " in table " + name)
volatility.framework.exceptions.PagedInvalidAddressException: ('MacDTBTempLayer1
', 18446743523965197008, 'Page Fault at entry 0xdce7ab3470f9d408 in table page d
irectory pointer')
...
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.darwin: Mac kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.darwin'
I'm pretty sure the ASLR value is not 0 as reported by this output.
I've added the version data to my symbol file and now the contents of the cache file is:
$ xxd ~/.cache/volatility3/mac_banners.cache
00000000: 8003 7d71 0043 6144 6172 7769 6e20 4b65 ..}q.CaDarwin Ke
00000010: 726e 656c 2056 6572 7369 6f6e 2031 352e rnel Version 15.
00000020: 302e 303a 2057 6564 2041 7567 2032 3620 0.0: Wed Aug 26
00000030: 3136 3a35 373a 3332 2050 4454 2032 3031 16:57:32 PDT 201
00000040: 353b 2072 6f6f 743a 786e 752d 3332 3437 5; root:xnu-3247
00000050: 2e31 2e31 3036 7e31 2f52 454c 4541 5345 .1.106~1/RELEASE
00000060: 5f58 3836 5f36 3400 7101 5d71 0258 6a00 _X86_64.q.]q.Xj.
00000070: 0000 6669 6c65 3a2f 2f2f 5573 6572 732f ..file:///Users/
00000080: 696c 7961 2f67 6974 2f67 6974 6875 622e ilya/git/github.
00000090: 636f 6d2f 766f 6c61 7469 6c69 7479 666f com/volatilityfo
000000a0: 756e 6461 7469 6f6e 2f76 6f6c 6174 696c undation/volatil
000000b0: 6974 7933 2f76 6f6c 6174 696c 6974 792f ity3/volatility/
000000c0: 7379 6d62 6f6c 732f 6d61 632f 6b65 726e symbols/mac/kern
000000d0: 656c 2e64 5359 4d2e 6a73 6f6e 7103 6173 el.dSYM.jsonq.as
000000e0: 2e
Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: module
The version of Volatility you're using: v1.0.0-beta.1
The operating system used to run Volatility: Fedora 31
The version of Python used to run Volatility: python3.7
The suspected operating system of the memory sample: Linux amd64
The complete command line you used to run Volatility:
'python vol.py -vvvvvvvvvvv -f /home/user/volatility3/kernel.mem linux.pstree.PsTree
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['/home/user/volatility3/volatility/plugins', '/home/user/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/volatility3/volatility/symbols', '/home/user/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /home/user/volatility3/volatility/plugins, /home/user/volatility3/volatility/framework/plugins
DEBUG volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG volatility.framework: Importing module: volatility.plugins.yarascan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module yarascan based on file: yarascan
DEBUG volatility.framework: Importing module: volatility.plugins.frameworkinfo
DEBUG volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG volatility.framework: Importing module: volatility.plugins.windows.svcscan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module windows.svcscan based on file: windows/svcscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG volatility.framework: Importing module: volatility.plugins.windows.verinfo
INFO volatility.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'pefile'
DEBUG volatility.framework: Failed to import module windows.verinfo based on file: windows/verinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module windows.vadyarascan based on file: windows/vadyarascan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG volatility.framework: Importing module: volatility.plugins.windows.callbacks
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module windows.callbacks based on file: windows/callbacks
DEBUG volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
INFO root : The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.callbacks, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
Level 6 volatility.framework: Importing from the following paths: /home/user/volatility3/volatility/framework/automagic
DEBUG volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG volatility.framework: Importing module: volatility.framework.automagic.mac
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG volatility.framework: Importing module: volatility.framework.automagic.stacker
Level 7 root : Cache directory used: /home/user/.cache/volatility3
INFO volatility.framework.automagic: Detected a linux category plugin
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/user/volatility3/volatility/symbols, /home/user/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.vmlinux
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /home/user/volatility3/volatility/framework/layers
DEBUG volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/user/volatility3/volatility/symbols, /home/user/volatility3/volatility/framework/symbols
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 8 volatility.framework.automagic.stacker: Stacked Elf64Layer using Elf64Stacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LintelStacker
DEBUG volatility.framework.automagic.linux: Identified banner: b'Linux version 5.4.0-rc2 (user@host) (gcc version 9.2.1 20190909 (Debian 9.2.1-8)) #23 Thu Nov 14 20:40:31 UTC 2019\n\x00'
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
Level 7 volatility.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: module
Level 6 volatility.framework.automagic.stacker: Traceback (most recent call last):
File "/home/user/volatility3/volatility/framework/automagic/stacker.py", line 119, in stack
new_layer = stacker.stack(new_context, current_layer_name, progress_callback)
File "/home/user/volatility3/volatility/framework/automagic/linux.py", line 69, in stack
isf_url = isf_path)
File "/home/user/volatility3/volatility/framework/symbols/linux/init.py", line 28, in init
self.set_type_class('module', extensions.module)
File "/home/user/volatility3/volatility/framework/symbols/intermed.py", line 55, in _delegate_function
return getattr(self._delegate, name)(*args, **kwargs)
File "/home/user/volatility3/volatility/framework/symbols/intermed.py", line 339, in set_type_class
raise ValueError("Symbol type not in {} SymbolTable: {}".format(self.name, name))
ValueError: Symbol type not in LintelStacker1 SymbolTable: module
Level 8 volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: Elf64Layer
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['Elf64Layer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.primary
Level 9 volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Unsatisfied requirement plugins.PsTree.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsTree.vmlinux: Linux kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsTree.primary', 'plugins.PsTree.vmlinux']'
I compiled a custom linux 5.4 kernel with debugging symbols enabled (it has some patches which are not yet in mainline, not sure if that matters). Then ran dwarf2json linux --elf on the vmlinux. Put the json under symbols/linux.
The memory dump was created with virsh --memory-only. A somewhat strange thing is that the dump is > 200MB while the VM just has 100MB RAM. If I run just "virsh dump domain" then the file is just around 30 MB.
Anyways, it seems to find at least the correct kernel version but fails afterwards.
printkey crash with no args
Haven't investigated why yet, but the crash is below. I'm not sure if it has anything to do with me not specifying a key, and/or hive offset yet, but:
$ python3 vol.py --single-location "file:////mnt/hgfs/DEV/volatility3/20171213204935/memory/data.lime" windows.printkey.PrintKey
[snip]
Last Write Time Type Key Name Data Volatile
Traceback (most recent call last):
File "vol.py", line 6, in <module>
volatility.cli.main()
File "/mnt/hgfs/DEV/volatility3/volatility/cli/__init__.py", line 304, in main
CommandLine().run()
File "/mnt/hgfs/DEV/volatility3/volatility/cli/__init__.py", line 189, in run
text.QuickTextRenderer().render(constructed.run())
File "/mnt/hgfs/DEV/volatility3/volatility/framework/renderers/text.py", line 57, in render
grid.populate(visitor, outfd)
File "/mnt/hgfs/DEV/volatility3/volatility/framework/renderers/__init__.py", line 160, in populate
for (level, item) in self._generator:
File "/mnt/hgfs/DEV/volatility3/volatility/plugins/windows/printkey.py", line 91, in registry_walker
hive = RegistryHive(self.context, reg_config_path, name = 'hive' + hex(hive_offset), os = 'Windows')
File "/mnt/hgfs/DEV/volatility3/volatility/framework/layers/registry.py", line 56, in __init__
"Invalid registry base_block length: {}".format(self._base_block.Length))
volatility.framework.exceptions.StructureException: Invalid registry base_block length: 0
Modern linux types can sometimes just be levels of indirection
Just so we've got it recorded somewhere...
This has been noticed specifically on linux (in the 5.3.0 kernel, at least), but certain types (such as mm_struct) can contain unnamed_fields which just act as levels of indirection (ie, they just contain another struct, unnamed, without much purpose or reason to need to access it).
"mm_struct": {
"size": 1024,
"fields": {
"cpu_bitmap": {
"type": {
"count": 0,
"kind": "array",
"subtype": {
"kind": "base",
"name": "long unsigned int"
}
},
"offset": 1024
},
"unnamed_field_0": {
"type": {
"kind": "struct",
"name": "unnamed_b06fa817540c10e0"
},
"offset": 0
}
},
"kind": "struct"
},
This makes accessing members of mmstruct difficult without knowing the precise sub-structure they're within, and we might want to contemplate a way that we can reasonably remove these if they're literally just unnamed struct members (unions and other types might need more thinking about)...
this page is strange
vol.py -f windows.psscan --> this command result is error
netscan
Is not support netscan in volatility3
Poolscanning on windows 10 takes an age
This appears to be because for windows 10, the virtual space has to be scanned rather than the physical space (it'd be good to get the reason for that documented here for reference) and that in windows 10 the virtual space can be littered with mapped pages that all point to the same physical page (which could be pointless to rescan time and time again). At the moment, the multiprocessing scan mechanism generates all possible page addresses to be checked and then starts the scanning.
Possible solutions include:
- Disk caching (to save on reads) - this is a memory/space trade-off and could be useful for normal scanning
- Creating a windows 10 layer that ignores the most commonly mapped page
- Changing the multiprocessing mechanism so that it can be doing the disk IO whilst it's doing the iteration.
Windows.handle plugin bug
Hello,
First thanks a lot for such great framework, I was testing several plugins against windows 10 latest image, but it crashed and throw an error.
BUG
Traceback (most recent call last):anning primary2 using PdbSignatureScanner File "vol.py", line 10, in <module> volatility.cli.main() File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\__init__.py", line 523, in main CommandLine().run() File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\__init__.py", line 281, in run renderers[args.renderer]().render(constructed.run()) File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\text_renderer.py", line 161, in render grid.populate(visitor, outfd) File "C:\Users\admin\Desktop\volatility3-master\volatility\framework\renderers\__init__.py", line 202, in populate accumulator = function(treenode, accumulator) File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\text_renderer.py", line 156, in visitor accumulator.write("{}".format("\t".join(line))) File "C:\Users\admin\AppData\Local\Programs\Python\Python37\lib\encodings\cp1252.py", line 19, in encode return codecs.charmap_encode(input,self.errors,encoding_table)[0] UnicodeEncodeError: 'charmap' codec can't encode character '\u03e5' in position 68: character maps to <undefined>
Regarding the windows.handle result I already submitted the file on slack
PDBparsing of ARGLIST sizes breaks
Just a note to keep track, attempting the following:
PYTHONPATH="." python volatility/framework/symbols/windows/pdbconv.py -g E5900145FDB14BE5B18137FC2C81C7632 -p ntkrpamp.pdb -o test.json
fails with:
Traceback (most recent call last):ocessing types
File "volatility/framework/symbols/windows/pdbconv.py", line 991, in <module>
json.dump(convertor.get_json(), f, indent = 2, sort_keys = True)
File "volatility/framework/symbols/windows/pdbconv.py", line 540, in get_json
self.read_necessary_streams()
File "volatility/framework/symbols/windows/pdbconv.py", line 330, in read_necessary_streams
self.read_tpi_stream()
File "volatility/framework/symbols/windows/pdbconv.py", line 380, in read_tpi_stream
self.process_types(type_references)
File "volatility/framework/symbols/windows/pdbconv.py", line 700, in process_types
self.user_types = self.replace_forward_references(self.user_types, type_references)
File "volatility/framework/symbols/windows/pdbconv.py", line 814, in replace_forward_references
types[k] = self.replace_forward_references(v, type_references)
File "volatility/framework/symbols/windows/pdbconv.py", line 814, in replace_forward_references
types[k] = self.replace_forward_references(v, type_references)
File "volatility/framework/symbols/windows/pdbconv.py", line 814, in replace_forward_references
types[k] = self.replace_forward_references(v, type_references)
[Previous line repeated 2 more times]
File "volatility/framework/symbols/windows/pdbconv.py", line 838, in replace_forward_references
return types.size // self.get_size_from_index(element_type)
File "volatility/framework/symbols/windows/pdbconv.py", line 650, in get_size_from_index
raise ValueError("Unable to determine size of leaf_type {}".format(leaf_type.lookup()))
ValueError: Unable to determine size of leaf_type LF_ARGLIST
The name of the type being processed was \x04 which may therefore be an earlier parsing error, but more investigation is required.
Need to add support for pages with PROT_NONE permissions
The _PAGE_PRESENT bit is cleared when mprotect(...PROT_NONE) is called on a page, therefore it is missed.
See: https://volatility-labs.blogspot.com/2015/05/using-mprotect-protnone-on-linux.html
Volatility 3 for Framework Designers (JSON Renderer as API)
In the Volatility 2 wiki there was a nice example on how to design a framwork around volatility that collects and processes plugin outputs based on the JSON renderer as API (LINK).
I want to do the same with volatility3. To achive this i tried to go through the volatility3 cli classes and gather all relevant parts to build a working volatility environment. Unfortunately, the amount of reverse engineering to achive this goal ist huge.
Is it planned to release a similar example as the one in the previous volatility version for the current version?
Missing Plugins -> threads, timers
As of volatility version 2 there were the three plugins: threads, timers and devicetree. I didn't find these plugins in the new version. Do you have plans to bring them back in or are these plugins by community developers?
Demangle VC++ names from PDB
The Windows kernel PDBs contain a lot of constants that are currently saved in the json in their mangled format, such as:
"??_C@_1BM@FMDCFHKI@?$AAM?$AAe?$AAm?$AAo?$AAr?$AAy?$AAM?$AAa?$AAn?$AAa?$AAg?$AAe?$AAr@NNGAKEGL@": {
"address": 7877184
},
In the Rekall version of the JSON we can see the unmangled version of such strings:
"str:MemoryManager": 7877184,
Implementing something similar to Rekall's Demangler would improve the usefulness of the Volatility IST jsons.
procdump produced files have different checksums from volatility 2
It differs when you view the hash value of the same file. Is the procdump of ver 2 and 3 different?
in this page's https://www.jaiminton.com/Defcon/DFIR-2019/#15-8675309---35-points problem 08
volatility3 print : pid.[pid].dmp
volatility2 print : ex~.exe
ValueError: year is out of range (pslist.PsList)
Seen on win10-x86-1607-14393.lime with ntkrpamp/9619274AA03341AFACF0F40A6DFACA90-1
5604 576 TrustedInstall 0x8c8f7c40 8 - 0 False 2016-09-11 10:18:09.000000 N/A
5644 664 TiWorker.exe 0x90d43040 8 - 0 False 2016-09-11 10:18:09.000000 N/A
4160 4252 surge-collect. 0x8bea2c40 7 - 1 False 2016-09-11 10:18:43.000000 N/ATraceback (most recent call last):
File "vol.py", line 6, in <module>
volatility.cli.main()
File "/Users/analyst/GitHub/volatility3/volatility/cli/__init__.py", line 297, in main
CommandLine().run()
File "/Users/analyst/GitHub/volatility3/volatility/cli/__init__.py", line 208, in run
text.QuickTextRenderer().render(constructed.run())
File "/Users/analyst/GitHub/volatility3/volatility/framework/renderers/text.py", line 118, in render
grid.populate(visitor, outfd)
File "/Users/analyst/GitHub/volatility3/volatility/framework/renderers/__init__.py", line 185, in populate
for (level, item) in self._generator:
File "/Users/analyst/GitHub/volatility3/volatility/plugins/windows/pslist.py", line 52, in _generator
proc.get_create_time(),
File "/Users/analyst/GitHub/volatility3/volatility/framework/symbols/windows/extensions/__init__.py", line 462, in get_create_time
return utility.wintime_to_datetime(self.CreateTime)
File "/Users/analyst/GitHub/volatility3/volatility/framework/objects/utility.py", line 50, in wintime_to_datetime
return datetime.datetime.utcfromtimestamp(unix_time)
ValueError: year -19306 is out of range
Add label for source (machine name) in timeliner output
As we discussed, this allows us to combine timelines from multiple machines/sources to build a bigger picture.
Automagic exception: Missing _ETHREAD kernel symbol for Win10x64_17134 memory image
volatility version = Volatility 3 Framework 1.0.0-beta.1
OS used to run Volatility = Linux kali 5.3.0-kali1-amd64 #1 SMP Debian 5.3.7-kali2 (2019-11-04) x86_64 GNU/Linux
Python version = Python 3.7.5
OS of target memory sample = Win10x64_17134
Command line = python3 vol.py -f /mnt/Labs/GBAKER-10L/data.lime windows.pslist.PsList
Error message =
Volatility 3 Framework 1.0.0-beta.1
WARNING volatility.framework.plugins: Automagic exception occured: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD
Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
NOTE: I was able to successfully run the above command line on a different Windows 7 memory image. So, the https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip file was installed correctly.
Write config without having to supply a plugin
I would like to be able to write out a config file without having to specify a plugin. To me, that seems the most intuitive. I don't think a user will know why it doesn't work if they just specify this:
$ python3 vol.py --write-config --single-location file:///path/to/memory/data.lime
Should use _KLDR_DATA_TABLE_ENTRY for kernel modules for Windows 10+
I validated this using volatility 2:
In [1]: k = obj.Object("_KLDR_DATA_TABLE_ENTRY", offset=0xFFFFA0878DC37010, vm=addrspace())
In [2]: dt(k)
[CType _KLDR_DATA_TABLE_ENTRY] @ 0xFFFFA0878DC37010
0x0 : InLoadOrderLinks 18446639102792265744
0x10 : ExceptionTable 18446735287116500992
0x18 : ExceptionTableSize 325764
0x20 : GpValue 0
0x28 : NonPagedDebugInfo 0
0x30 : DllBase 18446735287113007104
0x38 : EntryPoint 18446735287116959760
0x40 : SizeOfImage 8519680
0x48 : FullDllName \SystemRoot\system32\ntoskrnl.exe
0x58 : BaseDllName ntoskrnl.exe
0x68 : Flags 142622720
0x6c : LoadCount 90
0x6e : u1 18446639102792265854
0x70 : SectionPointer 0
0x78 : CheckSum 7842901
0x7c : CoverageSectionSize 0
0x80 : CoverageSection 0
0x88 : LoadedImports 1
0x90 : Spare 0
0x98 : SizeOfImageNotRounded 8519680
0x9c : TimeDateStamp 2016-07-16 02:16:17 UTC+0000
You can see that this looks better than:
In [6]: m = obj.Object("_LDR_DATA_TABLE_ENTRY", offset=0xFFFFA0878DC37010, vm=addrspace())
In [7]: dt(m)
[_LDR_DATA_TABLE_ENTRY _LDR_DATA_TABLE_ENTRY] @ 0xFFFFA0878DC37010
0x0 : InLoadOrderLinks 18446639102792265744
0x10 : InMemoryOrderLinks 18446639102792265760
0x20 : InInitializationOrderLinks 18446639102792265776
0x30 : DllBase 18446735287113007104
0x38 : EntryPoint 18446735287116959760
0x40 : SizeOfImage 8519680
0x48 : FullDllName \SystemRoot\system32\ntoskrnl.exe
0x58 : BaseDllName ntoskrnl.exe
[snip]
0xf8 : OriginalBase 2080
0x100 : LoadTime 1970-01-01 00:00:00 UTC+0000 # <--- ???
[snip]
backup method of determining windows 10
We can check for the nt!ObHeaderCookie symbol. Analysis results follow and they were pretty conclusive.
Has the symbol
10.0.17074.1000
10.0.15058.0
10.0.17661.1001
10.0.17134.319
10.0.10240.17113
10.0.17711.1000
10.0.17738.1000
10.0.10586.589
10.0.16299.125
10.0.10586.420
10.0.14300.1045
10.0.16291.0
10.0.10240.17918
10.0.14393.206
10.0.15063.786
10.0.10240.17914
10.0.14393.2007
10.0.14393.447
10.0.16299.431
10.0.10240.17609
10.0.10240.17354
10.0.10586.916
10.0.15063.1266
10.0.10240.17443
10.0.14393.953
10.0.14393.1480
10.0.15063.1387
10.0.17120.1
10.0.17763.1
10.0.15063.296
10.0.16278.1000
10.0.15063.1154
10.0.15063.1155
10.0.17035.1000
10.0.17123.1
10.0.10586.212
10.0.14393.1794
10.0.14393.2363
10.0.17040.1000
10.0.14300.1052
10.0.16299.192
10.0.17101.1000
10.0.16299.19
10.0.14393.351
10.0.14393.479
10.0.16299.248
10.0.17713.1000
10.0.15063.502
10.0.15063.1182
10.0.10586.962
10.0.10240.17184
10.0.17134.165
10.0.17134.167
10.0.17746.1000
10.0.10586.1295
10.0.17134.254
10.0.17133.1
10.0.10240.16430
10.0.10240.16431
10.0.10586.842
10.0.17758.1
10.0.16299.64
10.0.10240.17022
10.0.14393.576
10.0.16296.0
10.0.15063.1088
10.0.17093.1000
10.0.17692.1000
10.0.17134.345
10.0.10586.3
10.0.16299.551
10.0.17134.376
10.0.16299.98
10.0.10240.17831
10.0.16299.251
10.0.14986.1000
10.0.17704.1000
10.0.15063.332
10.0.14393.1066
10.0.14393.0
10.0.17127.1
10.0.17025.1000
10.0.10240.17533
10.0.17730.1000
10.0.15063.1029
10.0.17112.1
10.0.10240.16545
10.0.17735.1000
10.0.14393.1715
10.0.10586.1106
10.0.18262.1000
10.0.14393.1944
10.0.16299.309
10.0.17682.1000
10.0.17063.1000
10.0.16299.637
10.0.17744.1001
10.0.14393.1770
10.0.10240.16841
10.0.16299.0
10.0.17134.48
10.0.17755.1
10.0.16299.547
10.0.15063.483
10.0.16299.665
10.0.16299.666
10.0.10240.18005
10.0.15048.0
10.0.10586.672
10.0.18267.1001
10.0.17763.55
10.0.10586.1356
10.0.14300.1030
10.0.10240.16644
10.0.16299.785
10.0.10586.1540
10.0.14393.103
10.0.17128.1
10.0.15063.413
10.0.10586.1478
10.0.15063.729
10.0.16288.1
10.0.14393.2608
10.0.17017.1000
10.0.17107.1000
10.0.18252.1000
10.0.15063.726
10.0.10240.16393
10.0.17723.1000
10.0.17733.1000
10.0.14393.2311
10.0.14393.2312
10.0.18277.1000
10.0.16299.492
10.0.17134.191
10.0.14393.187
10.0.10586.306
10.0.16299.491
10.0.10240.17394
10.0.16299.15
10.0.10240.17797
10.0.16299.726
10.0.14393.321
10.0.16299.371
10.0.17134.407
10.0.17134.111
10.0.17134.112
10.0.15063.250
10.0.14393.2068
10.0.10586.1417
10.0.10586.17
10.0.10240.17488
10.0.10586.545
10.0.14393.729
10.0.17083.1000
10.0.10240.17643
10.0.15063.966
10.0.10586.1007
10.0.10240.17319
10.0.14393.726
10.0.10240.17738
10.0.17672.1000
10.0.14393.1358
10.0.15063.1206
10.0.15063.1209
10.0.15063.1324
10.0.17760.1
10.0.14393.2248
10.0.10586.1176
10.0.17754.1
10.0.10240.17946
10.0.17134.320
10.0.14393.1198
10.0.14300.1016
10.0.15063.540
10.0.10240.17861
10.0.14300.1010
10.0.17134.285
10.0.10240.17889
10.0.17134.286
10.0.14393.1593
10.0.15063.1292
10.0.10586.494
10.0.16251.0
10.0.15063.850
10.0.17677.1000
10.0.15063.11
10.0.15063.13
10.0.15063.14
10.0.10240.17146
10.0.10240.17071
10.0.14393.2368
10.0.14393.2430
10.0.15063.1446
10.0.16299.214
10.0.10240.17976
10.0.17666.1000
10.0.10240.17974
10.0.17133.73
10.0.17134.1
10.0.18272.1000
10.0.14300.1061
10.0.10240.17320
10.0.17134.137
10.0.14300.1066
10.0.10240.16590
10.0.10240.16463
10.0.16299.611
10.0.10586.839
10.0.15063.674
10.0.15063.909
10.0.14393.2485
10.0.14393.2125
10.0.10240.17709
10.0.17110.1000
10.0.15063.1112
10.0.14393.2551
10.0.14393.2189
10.0.17741.1000
10.0.15063.1356
10.0.17134.228
10.0.10586.1045
10.0.17751.1
10.0.17686.1003
10.0.17134.83
10.0.17134.81
10.0.15063.138
10.0.17115.1
10.0.15063.0
10.0.10586.103
10.0.17728.1000
10.0.10586.162
10.0.14393.693
10.0.10240.16724
10.0.15063.1418
10.0.18282.1000
10.0.10586.633
10.0.10240.17202
10.0.15002.1001
10.0.18290.1000
10.0.10240.17770
10.0.15063.608
10.0.15063.1235
10.0.10240.18036
10.0.10586.63
10.0.15063.447
Does not have the symbol
6.3.9600.17668
6.0.6001.18377
6.3.9600.18896
6.1.7601.24059
6.3.9600.18340
6.3.9600.17328
6.0.6002.24339
6.3.9600.18685
6.1.7601.23002
5.2.3790.5107
6.1.7601.22436
6.0.6000.16386
6.2.9200.21703
6.2.9200.17637
6.2.9200.22008
6.1.7600.16988
6.0.6002.18832
6.0.6000.16754
5.2.3790.3309
6.0.6002.24521
6.0.6002.24520
6.3.9600.18194
6.2.9200.22432
6.1.7601.23250
6.1.7601.23313
6.0.6002.22183
6.0.6002.24202
5.2.3790.5190
6.2.9200.16551
5.2.3790.4637
6.0.6002.23588
6.1.7600.16917
6.1.7601.23796
6.1.7601.23418
6.2.9200.17557
6.1.7600.21207
5.1.2600.6284
6.1.7601.23677
6.3.9600.19153
6.0.6002.24381
6.0.6002.18082
5.1.2600.6368
5.1.2600.5512
6.0.6002.24065
6.0.6002.24412
6.2.9200.16384
6.3.9600.18589
6.1.7601.17514
6.3.9600.18895
6.2.9200.16864
6.1.7601.24291
6.0.6002.18075
6.1.7601.22921
6.3.9600.16384
6.0.6002.19279
6.0.6002.19573
5.1.2600.6055
6.0.6002.18881
6.1.7601.18741
6.1.7601.24094
6.1.7601.24093
6.0.6002.22831
6.2.9200.17528
6.1.7600.21094
6.0.6002.24463
6.0.6002.23761
6.0.6002.23762
6.0.6001.22389
6.1.7600.20826
6.3.9600.17630
6.2.9200.21428
6.2.9200.16604
6.3.9600.18790
6.3.9600.18264
6.1.7601.24009
6.1.7601.22943
6.0.6002.18484
6.0.6001.22478
6.1.7601.24000
6.1.7601.22948
6.1.7601.22379
6.3.9600.18090
6.1.7601.18409
6.0.6002.24367
6.0.6002.18686
6.2.9200.20652
5.2.3790.5157
6.0.6002.19697
6.0.6002.23905
6.3.9600.17031
6.1.7601.24260
6.1.7601.21847
6.2.9200.16548
6.2.9200.22108
6.0.6001.18427
5.1.2600.2622
6.2.9200.21736
6.0.6002.19454
6.0.6002.19453
6.0.6002.19598
5.2.3790.2894
5.1.2600.7053
6.2.9200.20555
6.2.9200.22547
5.2.3790.3959
6.0.6001.18063
6.2.9200.22462
6.0.6001.18145
6.0.6002.24108
6.1.7601.23223
5.1.2600.3654
5.1.2600.6419
6.1.7601.18700
6.0.6002.19594
6.0.6002.23636
6.3.9600.16452
6.1.7600.16539
6.1.7601.23126
6.3.9600.19101
6.0.6000.20697
6.2.9200.22490
6.0.6002.22283
6.2.9200.20605
6.2.9200.21368
6.2.9200.17231
6.0.6002.24421
6.2.9200.21815
6.2.9200.22280
6.0.6002.18533
6.3.9600.16422
5.2.3790.4998
6.1.7601.23455
6.3.9600.18758
6.1.7600.20738
6.2.9200.22086
6.1.7601.17803
6.3.9600.18289
5.2.3790.4354
6.1.7601.18933
6.3.9600.18969
6.2.9200.20733
6.2.9200.22005
6.1.7601.21987
6.3.9600.19038
6.2.9200.22001
6.3.9600.19035
6.1.7600.16385
6.0.6002.19790
6.2.9200.21674
5.2.3790.5059
5.1.2600.7017
5.1.2600.5913
5.1.2600.5857
6.1.7600.16695
6.0.6001.18538
5.1.2600.5938
6.1.7600.20994
5.1.2600.3610
6.2.9200.22254
5.1.2600.5755
6.3.9600.18146
6.2.9200.16420
5.1.2600.6335
6.1.7601.24214
6.0.6002.19700
6.0.6002.18765
6.0.6001.22167
6.1.7600.16841
6.1.7601.17944
6.0.6002.24078
6.1.7601.18939
6.0.6002.24170
6.1.7601.19018
6.1.7601.23807
6.0.6002.18160
5.1.2600.6206
6.2.9200.21914
6.0.6000.20670
6.0.6002.18005
6.0.6002.23076
6.0.6002.22662
5.1.2600.6748
6.0.6002.24282
6.2.9200.22601
6.0.6002.22920
6.2.9200.20772
6.3.9600.18007
6.3.9600.17415
6.0.6002.23824
6.0.6002.22420
6.0.6002.19514
6.3.9600.17238
6.1.7601.17835
6.0.6000.21175
6.0.6002.24346
6.2.9200.17581
6.1.7601.18205
5.2.3790.652
6.3.9600.17736
6.0.6001.22269
6.0.6002.22811
6.0.6001.22489
6.1.7601.23349
6.0.6002.23910
6.3.9600.17041
6.1.7601.18147
6.0.6002.19741
6.3.9600.18066
6.1.7601.17713
6.2.9200.21645
6.3.9600.19067
6.0.6000.16575
6.0.6001.22636
6.2.9200.20682
6.2.9200.20685
6.2.9200.22365
6.1.7601.23334
6.2.9200.21896
6.2.9200.22202
6.1.7601.23338
6.0.6002.19636
6.2.9200.22164
6.0.6001.18488
6.2.9200.16578
6.2.9200.16579
6.1.7601.18738
6.0.6002.18327
6.0.6002.24180
6.0.6002.19327
5.1.2600.3427
6.1.7601.23153
6.2.9200.22522
5.2.3790.5580
5.2.3790.5583
6.2.9200.17225
6.1.7601.19160
6.0.6002.24007
6.1.7601.19045
5.1.2600.1605
5.2.3790.4980
6.0.6002.23103
6.0.6002.22505
6.2.9200.16659
6.0.6000.20921
6.3.9600.18725
6.3.9600.17085
6.1.7601.18247
6.1.7601.22917
6.2.9200.20708
6.1.7600.16617
6.0.6002.24312
6.3.9600.18202
6.0.6002.22341
6.1.7601.23572
6.0.6002.23950
6.3.9600.19000
6.0.6002.23813
6.1.7601.22411
6.0.6000.16973
6.2.9200.20521
6.0.6000.21023
6.1.7601.21955
6.2.9200.16628
6.1.7600.20655
6.0.6000.21226
6.0.6002.18267
6.1.7601.19110
5.1.2600.7005
6.1.7601.22318
6.1.7601.24117
6.0.6002.24262
6.0.6001.22577
6.1.7600.20591
6.1.7600.16481
6.1.7601.23072
6.1.7601.23889
6.2.9200.22162
6.1.7601.17727
6.0.6002.23883
6.0.6002.22732
6.1.7601.24168
6.3.9600.18438
6.1.7600.21417
6.3.9600.16404
6.0.6001.22707
6.2.9200.17438
6.0.6001.18000
6.1.7601.18923
5.1.2600.3670
6.2.9200.21317
6.2.9200.22331
6.0.6000.20629
5.2.3790.4789
5.2.3790.0
6.0.6002.19858
6.0.6001.22777
5.2.3790.4666
6.2.9200.21339
6.0.6002.18209
6.3.9600.18931
6.1.7600.21179
5.2.3790.4478
6.1.7600.21077
6.2.9200.17313
6.1.7601.19135
6.2.9200.21548
6.2.9200.20984
6.1.7601.19131
6.3.9600.17936
6.0.6002.24444
6.3.9600.17933
6.1.7601.18798
6.1.7601.23864
6.2.9200.21830
6.2.9200.16581
6.1.7601.22280
6.0.6000.16830
6.0.6002.19503
6.2.9200.17617
5.1.2600.3520
6.3.9600.18946
6.1.7601.24024
6.1.7601.22908
5.1.2600.3093
6.3.9600.18379
6.3.9600.18378
6.1.7601.22210
6.2.9200.22376
6.3.9600.18696
6.1.7601.23403
6.0.6002.18595
6.1.7600.17273
6.1.7601.22137
5.1.2600.0
6.3.9600.18505
6.1.7601.21863
6.0.6000.16584
6.1.7601.17640
5.1.2600.5973
6.1.7601.23539
5.1.2600.5657
6.3.9600.18185
5.1.2600.6387
6.1.7601.23714
6.2.9200.22402
6.1.7600.21315
5.1.2600.160
6.3.9600.18258
6.1.7601.24236
6.1.7601.18044
6.1.7601.23915
6.2.9200.22170
6.1.7601.24231
6.0.6002.23025
6.0.6000.17021
6.0.6000.16514
6.1.7600.16905
5.2.3790.4922
6.0.6001.18295
6.3.9600.19125
6.1.7601.23142
6.3.9600.19128
6.2.9200.21347
6.0.6002.24154
5.1.2600.1634
6.2.9200.17214
6.1.7600.17017
6.0.6002.24089
6.2.9200.17218
6.1.7601.23391
6.1.7601.23392
5.1.2600.6223
6.2.9200.21971
6.0.6002.22191
6.3.9600.18730
6.0.6000.21101
6.1.7601.22923
6.0.6001.18226
6.1.7601.24060
6.1.7601.24290
6.1.7601.21755
5.2.3790.4035
6.2.9200.20655
6.2.9200.21369
6.3.9600.18233
6.3.9600.17476
6.0.6002.24491
5.1.2600.1568
5.2.3790.5138
6.2.9200.21756
6.0.6000.16901
6.3.9600.18423
6.1.7600.21490
6.0.6002.18805
6.1.7601.18229
6.1.7600.21980
6.1.7601.24150
6.0.6000.20707
6.0.6002.23935
6.1.7601.22103
6.0.6002.23936
6.0.6002.19680
6.1.7600.17207
6.2.9200.16496
6.0.6002.19764
6.0.6000.16551
6.1.7600.17795
6.1.7601.23569
6.2.9200.17251
6.1.7601.23564
6.2.9200.22570
6.1.7601.18113
5.1.2600.3704
5.2.3790.3191
6.1.7600.17118
6.0.6002.18607
6.1.7601.22616
6.3.9600.19179
6.1.7601.18717
6.2.9200.22227
6.1.7601.18715
6.1.7601.18711
6.2.9200.16451
6.0.6002.23154
5.2.3790.1830
6.0.6002.19346
5.1.2600.6165
6.1.7601.18869
5.2.3790.4566
6.2.9200.17213
6.3.9600.18821
6.0.6002.24400
6.1.7601.23136
6.0.6001.18304
6.0.6002.24024
6.0.6002.24020
6.0.6002.19834
6.0.6002.23654
Standardize debug log messages for smear and ensure used in existing code places
To fufill this issue requires two tasks:
-
Create a standardized debug log message format for issues where smear is encountered. Ideally this message would include the address (offset) and attempted operation that encountered the smear
-
Go through the currently written plugins and extensions to use this template and ensure all needed places have the debug messages emitted
Progress stuff should go to stderr
Any chance we can get the progress messages sent to stderr rather than stdout? If I redirect the the output to a file, the progress indicator also goes to the file which is not helpful (and clutters the output file). To reproduce (on linux in this case):
$ ./vol.py -f image windows.pslist.PsList > pslist.txt
pdbparse-to-json.py: KeyError: EnumIntegerString.new(8, 'T_HRESULT')
Running pdbparse-to-json.py results in the following error on a windows10 kernel pdb:
PDB GUID: 80bdf49bd89d905be3a73d7f4226a90f1
Kernel filename: ntkrnlmp.pdb
root@t1:/shared/volatility3# python3 development/pdbparse-to-json.py -f /shared/windows10/ntkrnlmp.pdb -o /tmp/test.json
INFO __main__ : Parsing PDB...
INFO __main__ : Reading usertypes...
INFO __main__ : Reading enums...
INFO __main__ : Reading symbols...
Traceback (most recent call last):
File "development/pdbparse-to-json.py", line 353, in <module>
json.dump(convertor.read_pdb(), f, indent = 2, sort_keys = True)
File "development/pdbparse-to-json.py", line 138, in read_pdb
"base_types": self.read_basetypes()
File "development/pdbparse-to-json.py", line 311, in read_basetypes
"kind": self.ctype_python_types.get(self.ctype[index], "int"),
KeyError: EnumIntegerString.new(8, 'T_HRESULT')
printkey recurse option broken
Something, is broken in the way that we are recursing registry keys. I'm not sure if it's the recursion itself, or just the way the registry key path is appended just yet. For example:
2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT Select False
2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT Setup False
2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT Software False
2017-12-14 04:44:28 Key ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT\ControlSet001\Control\Arbiters\ROOT WPA False
I remember hitting something similar to this with vol2. In that case it was because we were blindly following pointers, and sometimes they are corrupt and might be circular.
Broken Wiki Link
The repo Wiki is made up of a link to this page on another repo (I'm assuming a private one), which gives a 404: https://github.com/volatilityfoundation/devwiki/wiki/Volatility3
Should this be swapped for a Read the Docs link? https://volatility3.readthedocs.io/en/latest/
I would do this as a PR, but annoyingly, GitHub won't let you make PRs to Wikis.
SvcScan doesn't accurately distinguish between operating systems
volatility version = Volatility 3 Framework 1.0.0-beta.1
OS used to run Volatility = Linux kali 5.3.0-kali1-amd64 #1 SMP Debian 5.3.7-kali2 (2019-11-04) x86_64 GNU/Linux
Python version = Python 3.7.5
OS of target memory sample = Win10x64_17134
Command line = python3 vol.py -f /mnt/Labs/GBAKER-10L/data.lime windows.svcscan.SvcScan
Did not receive any output yet there are services that were running when memory image was acquired.
Output received:
Volatility 3 Framework 1.0.0-beta.1
Progress: 0.00 Scanning primary2 using PdbSignatureScanner
Offset Order Pid Start State Type Name Display Binary
pslist Page Fault
python3 vol.py -f memory.dmp windows.pslist throws following error after showing few processes ... any clue ? thanks
0 0 0xad0ceefb9080 0 - N/A False N/A N/ATraceback (most recent call last):
File "vol.py", line 10, in <module>
volatility.cli.main()
File "/volatility3/volatility/cli/__init__.py", line 442, in main
CommandLine().run()
File "/volatility3/volatility/cli/__init__.py", line 269, in run
renderers[args.renderer]().render(constructed.run())
File "/volatility3/volatility/cli/text_renderer.py", line 159, in render
grid.populate(visitor, outfd)
File "/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
for (level, item) in self._generator:
File "/volatility3/volatility/framework/plugins/windows/pslist.py", line 137, in _generator
yield (0, (proc.UniqueProcessId, proc.InheritedFromUniqueProcessId,
File "/volatility3/volatility/framework/objects/__init__.py", line 681, in __getattr__
native_layer_name = self.vol.native_layer_name))
File "/volatility3/volatility/framework/objects/templates.py", line 72, in __call__
return self.vol.object_class(context = context, object_info = object_info, **arguments)
File "/volatility3/volatility/framework/objects/__init__.py", line 113, in __new__
value = cls._unmarshall(context, data_format, object_info)
File "/volatility3/volatility/framework/objects/__init__.py", line 284, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, length)
File "/volatility3/volatility/framework/interfaces/layers.py", line 492, in read
return self[layer].read(offset, length, pad)
File "/volatility3/volatility/framework/layers/linear.py", line 37, in read
for (offset, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
File "/volatility3/volatility/framework/layers/intel.py", line 195, in mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/volatility3/volatility/framework/layers/intel.py", line 317, in _translate
return self._translate_swap(self, offset, self._bits_per_register // 2)
File "/volatility3/volatility/framework/layers/intel.py", line 275, in _translate_swap
return super()._translate(offset)
File "/volatility3/volatility/framework/layers/intel.py", line 100, in _translate
entry, position = self._translate_entry(offset)
File "/volatility3/volatility/framework/layers/intel.py", line 143, in _translate_entry
"Page Fault at entry " + hex(entry) + " in table " + name)
volatility.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0xb9b76063 in table page table
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.