volatilityfoundation
Running Vol3 PSTREE Module
Describe the bug A clear and concise description of what the bug is.
Context
Volatility Version: 3.0
Operating System: Win10 19043.1237
Python Version: Python 3.8.10
Suspected Operating System:
Command:
sudo python3 vol.py -vvv -f ~/Desktop/cases/Windows10.raw windows.pstree.PsTree > ~/Desktop/cases/pstree_true3.txt
To Reproduce Steps to reproduce the behavior:
- Use command '...'
- See error
Expected behavior A clear and concise description of what you expected to happen.
Screenshots
INFO volatility3.cli: Volatility plugins path: ['/Volatility3/volatility3/volatility3/plugins', '/Volatility3/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/Volatility3/volatility3/volatility3/symbols', '/Volatility3/volatility3/volatility3/framework/symbols']
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
DEBUG volatility3.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name.memory_layer
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: WintelHelper
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80267800000
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/47114209A62F3B9930F6B8998DFD4A99-1
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
DEBUG volatility3.cli: Traceback (most recent call last):
File "/Volatility3/volatility3/volatility3/cli/init.py", line 333, in run
renderersargs.renderer.render(constructed.run())
File "/Volatility3/volatility3/volatility3/cli/text_renderer.py", line 178, in render
grid.populate(visitor, outfd)
File "/Volatility3/volatility3/volatility3/framework/renderers/init.py", line 211, in populate
for (level, item) in self._generator:
File "/Volatility3/volatility3/volatility3/framework/plugins/windows/pstree.py", line 71, in _generator
self._processes[proc.UniqueProcessId] = proc, offset
File "/Volatility3/volatility3/volatility3/framework/objects/init.py", line 760, in getattr
member = template(context = self._context, object_info = object_info)
File "/Volatility3/volatility3/volatility3/framework/objects/templates.py", line 72, in call
return self.vol.object_class(context = context, object_info = object_info, **arguments)
File "/Volatility3/volatility3/volatility3/framework/objects/init.py", line 121, in new
value = cls._unmarshall(context, data_format, object_info)
File "/Volatility3/volatility3/volatility3/framework/objects/init.py", line 310, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, length)
File "/Volatility3/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read
return self[layer].read(offset, length, pad)
File "/Volatility3/volatility3/volatility3/framework/layers/linear.py", line 37, in read
for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
File "/Volatility3/volatility3/volatility3/framework/layers/intel.py", line 200, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(offset, length, ignore_errors):
File "/Volatility3/volatility3/volatility3/framework/layers/intel.py", line 244, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/Volatility3/volatility3/volatility3/framework/layers/intel.py", line 370, in _translate
return self._translate_swap(self, offset, self._bits_per_register // 2)
File "/Volatility3/volatility3/volatility3/framework/layers/intel.py", line 323, in _translate_swap
return super()._translate(offset)
File "/Volatility3/volatility3/volatility3/framework/layers/intel.py", line 105, in _translate
entry, position = self._translate_entry(offset)
File "/Volatility3/volatility3/volatility3/framework/layers/intel.py", line 151, in _translate_entry
raise exceptions.PagedInvalidAddressException(self.name, offset, position + 1, entry,
volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x83cb063 in table page table
Volatility was unable to read a requested page: Page error 0xfffffffffff8 in layer layer_name (Page Fault at entry 0x83cb063 in table page table)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility3 (re-run with -vvv and file a bug)
No further results will be produced
Additional information Add any other information about the problem here.
Hi @chris200712, I'm afraid you haven't really described the issue. At the moment it just looks as though the memory image you've tried to run the plugin isn't consistent, which may be due to memory smear. Could you please include the output from running windows.pslist on the same file please, just to make sure it's not a duplicate of #525 ?
@iMHLv2 I've noticed we've had about 5 bugs mentioning a failure on 0xfffffff8 in the page table (#525, #568, #365 and a mention in #440). Do you think this is something we're missing in the intel paging table for some reason, or a weird thing windows is doing? Any thoughts on the matter (even if it's just "looks like normal memory smear") would be appreciated... 5:)
Hopefully this is more info:
I am unable to get the pstree plugin to work. All the other plugins seem to work, just not this one. I have seen this error on multiple memory images. One collected yesterday afternoon and one just prior to this post (it was a memory image of my own machine). The machine yesterday was Win10 2004. Specifically:
From volatility windows.info.Info: PE MajorOperatingSystemVersion 10 Major/Minor 15.19041
Volatility version: Volatility 3 Framework 2.0.0 Had the same issues with version 1.0.1 also (I ran the Win10 machine using the older volatility version first last night)
My machine imaged today: OS Name: Microsoft Windows 11 Enterprise OS Version: 10.0.22000 N/A Build 22000 The Win11 machine from volatility windows.info.Info: PE MajorOperatingSystemVersion 10 Major/Minor 15.22000
Python 3.8.10
Volatility Command line: vol.py -vvv -l ~/volatility_pstree_error.log -f /mnt/c/Working/8323985-memory.mem windows.pstree.PsTree
22-02-03 18:03:40 volatility3.cli INFO Logging started
22-02-03 18:03:40 volatility3.cli INFO Volatility plugins path: ['/home/rstrom/volatility3/volatility3/plugins', '/home/rstrom/volatility3/volatility3/framework/plugins']
22-02-03 18:03:40 volatility3.cli INFO Volatility symbols path: ['/home/rstrom/volatility3/volatility3/symbols', '/home/rstrom/volatility3/volatility3/framework/symbols']
22-02-03 18:03:40 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/plugins, /home/rstrom/volatility3/volatility3/framework/plugins
22-02-03 18:03:40 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/automagic
22-02-03 18:03:58 volatility3.cli INFO Logging started
22-02-03 18:03:58 volatility3.cli INFO Volatility plugins path: ['/home/rstrom/volatility3/volatility3/plugins', '/home/rstrom/volatility3/volatility3/framework/plugins']
22-02-03 18:03:58 volatility3.cli INFO Volatility symbols path: ['/home/rstrom/volatility3/volatility3/symbols', '/home/rstrom/volatility3/volatility3/framework/symbols']
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/plugins, /home/rstrom/volatility3/volatility3/framework/plugins
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/automagic
22-02-03 18:03:58 volatility3.cli Level 7 Cache directory used: /home/rstrom/.cache/volatility3
22-02-03 18:03:58 volatility3.framework.automagic INFO Detected a windows category plugin
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic INFO Running automagic: ConstructionMagic
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel.layer_name
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 6 Construction Exception occurred: Unexpected config value found: None
22-02-03 18:03:58 volatility3.framework.automagic INFO Running automagic: SymbolBannerCache
22-02-03 18:03:58 volatility3.framework.automagic INFO Running automagic: LayerStacker
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework.layers.resources Level 7 Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using Elf64Stacker
22-02-03 18:03:58 volatility3.framework.layers.elf Level 6 Exception: Bad magic 0x0 at file offset 0x0
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using AVMLStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using LimeStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using QemuStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using WindowsCrashDumpStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using VmwareStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using WindowsIntelStacker
22-02-03 18:03:58 volatility3.framework.automagic.windows DEBUG Detecting Self-referential pointer for recent windows
22-02-03 18:03:58 volatility3.framework.automagic.windows DEBUG DtbSelfRef64bit test succeeded at 0x1ae000
22-02-03 18:03:58 volatility3.framework.automagic.windows DEBUG DTB was found at: 0x1ae000
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Stacked IntelLayer using WindowsIntelStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using Elf64Stacker
22-02-03 18:03:58 volatility3.framework.layers.elf Level 6 Exception: Offset 0x0 does not exist within the base layer
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using AVMLStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using LimeStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using QemuStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using WindowsCrashDumpStacker
22-02-03 18:03:58 volatility3.framework.automagic.stacker Level 8 Attempting to stack using VmwareStacker
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name.memory_layer
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_virtual_offset requirements only accept int type: None
22-02-03 18:03:58 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_virtual_offset requirements only accept int type: None
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_banner requirements only accept str type: None
22-02-03 18:03:58 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_banner requirements only accept str type: None
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-03 18:03:58 volatility3.framework.automagic.stacker DEBUG Stacked layers: ['IntelLayer', 'FileLayer']
22-02-03 18:03:58 volatility3.framework.automagic INFO Running automagic: WinSwapLayers
22-02-03 18:03:58 volatility3.framework.automagic INFO Running automagic: KernelPDBScanner
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-03 18:03:58 volatility3.framework.automagic.pdbscan DEBUG Kernel base determination - searching layer module list structure
22-02-03 18:05:44 volatility3.framework.automagic.pdbscan DEBUG Kernel base determination - searching layer module list structure
22-02-03 18:05:44 volatility3.framework.automagic.pdbscan DEBUG Setting kernel_virtual_offset to 0xf8006b000000
22-02-03 18:05:44 volatility3.framework.symbols.intermed Level 6 Searching for symbols in /home/rstrom/volatility3/volatility3/symbols, /home/rstrom/volatility3/volatility3/framework/symbols
22-02-03 18:05:44 volatility3.framework.symbols.windows.pdbutil DEBUG Using symbol library: ntkrnlmp.pdb/54D7D2CB60778ADE7A575354D318B1EC-1
22-02-03 18:05:45 volatility3.framework.automagic INFO Running automagic: SymbolFinder
22-02-03 18:05:45 volatility3.framework.automagic INFO Running automagic: KernelModule
22-02-03 18:05:45 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_PSP_STORAGE
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_CHPEV2_PROCESS_INFO
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_NLS_STATE
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EX_TIMER
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_IORING_OBJECT
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
22-02-03 18:05:45 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
22-02-03 18:05:46 volatility3.cli DEBUG Traceback (most recent call last):
File "/home/rstrom/volatility3/volatility3/cli/__init__.py", line 333, in run
renderers[args.renderer]().render(constructed.run())
File "/home/rstrom/volatility3/volatility3/cli/text_renderer.py", line 178, in render
grid.populate(visitor, outfd)
File "/home/rstrom/volatility3/volatility3/framework/renderers/__init__.py", line 212, in populate
for (level, item) in self._generator:
File "/home/rstrom/volatility3/volatility3/framework/plugins/windows/pstree.py", line 71, in _generator
self._processes[proc.UniqueProcessId] = proc, offset
File "/home/rstrom/volatility3/volatility3/framework/objects/__init__.py", line 761, in __getattr__
member = template(context = self._context, object_info = object_info)
File "/home/rstrom/volatility3/volatility3/framework/objects/templates.py", line 72, in __call__
return self.vol.object_class(context = context, object_info = object_info, **arguments)
File "/home/rstrom/volatility3/volatility3/framework/objects/__init__.py", line 122, in __new__
value = cls._unmarshall(context, data_format, object_info)
File "/home/rstrom/volatility3/volatility3/framework/objects/__init__.py", line 311, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, length)
File "/home/rstrom/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read
return self[layer].read(offset, length, pad)
File "/home/rstrom/volatility3/volatility3/framework/layers/linear.py", line 37, in read
for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 203, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(offset, length, ignore_errors):
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 247, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 373, in _translate
return self._translate_swap(self, offset, self._bits_per_register // 2)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 326, in _translate_swap
return super()._translate(offset)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 105, in _translate
entry, position = self._translate_entry(offset)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 154, in _translate_entry
raise exceptions.PagedInvalidAddressException(self.name, offset, position + 1, entry,
volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x58350063 in table page table
Totally willing to try with new builds
I did some more testing and have a little bit more information.
I created snapshots of a Windows Server 2012 R2 Domain Controller and a Windows 10 Enterprise; OS Version: 10.0.19044 N/A Build 19044 and was able to successfully run the same command to get the PsTree.
I did another image of my physical Windows 11 machine using Dumpit.exe this time (last time I used winpmem (winpmem_mini_x64_rc2.exe)
The PsTree failed running on the image made with Dumpit too.
The Windows 10 and Windows 11 systems that are failing are both Enterprise and they are using Credential Guard. Not sure if that makes any difference.
The PsTree is very useful! I would really, really like to see it work in all situations if at all possible. Again, please note that only PsTree is failing, all other modules are working.
Thanks!
@robertstrom
can you please checkout this branch:
https://github.com/volatilityfoundation/volatility3/tree/issue_574_pstree_smear
with:
git pull git checkout issue_574_pstree_smear
then run pstree and make sure you get processes output.
@atcuno - I have run the git commands and the run volatility command to create the PsTree and I am still having issues with most memory images
Volatility command used was:
volatility3/vol.py -vvv -r csv -l /mnt/c/Working/XXX-YYYY-memory.raw.windows.pstree.PsTree.log -f /mnt/c/Working/XXX-YYYY-memory.raw windows.pstree.PsTree
22-02-04 13:20:03 volatility3.cli INFO Logging started
22-02-04 13:20:03 volatility3.cli INFO Volatility plugins path: ['/home/rstrom/volatility3/volatility3/plugins', '/home/rstrom/volatility3/volatility3/framework/plugins']
22-02-04 13:20:03 volatility3.cli INFO Volatility symbols path: ['/home/rstrom/volatility3/volatility3/symbols', '/home/rstrom/volatility3/volatility3/framework/symbols']
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/plugins, /home/rstrom/volatility3/volatility3/framework/plugins
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/automagic
22-02-04 13:20:03 volatility3.cli Level 7 Cache directory used: /home/rstrom/.cache/volatility3
22-02-04 13:20:03 volatility3.framework.automagic INFO Detected a windows category plugin
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic INFO Running automagic: ConstructionMagic
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel.layer_name
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 6 Construction Exception occurred: Unexpected config value found: None
22-02-04 13:20:03 volatility3.framework.automagic INFO Running automagic: SymbolBannerCache
22-02-04 13:20:03 volatility3.framework.automagic INFO Running automagic: LayerStacker
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework.layers.resources Level 7 Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using Elf64Stacker
22-02-04 13:20:03 volatility3.framework.layers.elf Level 6 Exception: Bad magic 0x0 at file offset 0x0
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using AVMLStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using LimeStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using QemuStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using WindowsCrashDumpStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using VmwareStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using WindowsIntelStacker
22-02-04 13:20:03 volatility3.framework.automagic.windows DEBUG Detecting Self-referential pointer for recent windows
22-02-04 13:20:03 volatility3.framework.automagic.windows DEBUG DtbSelfRef64bit test succeeded at 0x1ae000
22-02-04 13:20:03 volatility3.framework.automagic.windows DEBUG DTB was found at: 0x1ae000
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Stacked IntelLayer using WindowsIntelStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using Elf64Stacker
22-02-04 13:20:03 volatility3.framework.layers.elf Level 6 Exception: Offset 0x0 does not exist within the base layer
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using AVMLStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using LimeStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using QemuStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using WindowsCrashDumpStacker
22-02-04 13:20:03 volatility3.framework.automagic.stacker Level 8 Attempting to stack using VmwareStacker
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel.layer_name.memory_layer
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_virtual_offset requirements only accept int type: None
22-02-04 13:20:03 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_virtual_offset requirements only accept int type: None
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_banner requirements only accept str type: None
22-02-04 13:20:03 volatility3.framework.interfaces.configuration Level 9 TypeError - kernel_banner requirements only accept str type: None
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework.automagic.construct_layers Level 9 Failed on requirement: plugins.PsTree
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework Level 6 Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
22-02-04 13:20:03 volatility3.framework.automagic.stacker DEBUG Stacked layers: ['IntelLayer', 'FileLayer']
22-02-04 13:20:03 volatility3.framework.automagic INFO Running automagic: WinSwapLayers
22-02-04 13:20:03 volatility3.framework.automagic INFO Running automagic: KernelPDBScanner
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework.configuration.requirements Level 9 Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
22-02-04 13:20:03 volatility3.framework.automagic.pdbscan DEBUG Kernel base determination - searching layer module list structure
22-02-04 13:21:30 volatility3.framework.automagic.pdbscan DEBUG Kernel base determination - searching layer module list structure
22-02-04 13:21:30 volatility3.framework.automagic.pdbscan DEBUG Setting kernel_virtual_offset to 0xf8006b000000
22-02-04 13:21:30 volatility3.framework.symbols.intermed Level 6 Searching for symbols in /home/rstrom/volatility3/volatility3/symbols, /home/rstrom/volatility3/volatility3/framework/symbols
22-02-04 13:21:30 volatility3.framework.symbols.windows.pdbutil DEBUG Using symbol library: ntkrnlmp.pdb/54D7D2CB60778ADE7A575354D318B1EC-1
22-02-04 13:21:31 volatility3.framework.automagic INFO Running automagic: SymbolFinder
22-02-04 13:21:31 volatility3.framework.automagic INFO Running automagic: KernelModule
22-02-04 13:21:31 volatility3.framework.configuration.requirements Level 9 IndexError - No configuration provided: plugins.PsTree.kernel
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_PSP_STORAGE
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_CHPEV2_PROCESS_INFO
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_NLS_STATE
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_EX_TIMER
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_IORING_OBJECT
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
22-02-04 13:21:31 volatility3.framework.symbols DEBUG Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
Hello,
Just touching base to see if there is anything else needed from me to help determine what the issue is / help get it fixed.
Thanks, Robert
Thank you guys. No there is not On Monday, February 14, 2022, 08:00:34 PM GMT+1, robertstrom @.***> wrote:
Hello,
Just touching base to see if there is anything else needed from me to help determine what the issue is / help get it fixed.
Thanks, Robert
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: @.***>
Thank you guys. No there is not On Monday, February 14, 2022, 08:00:34 PM GMT+1, robertstrom @.> wrote: Hello, Just touching base to see if there is anything else needed from me to help determine what the issue is / help get it fixed. Thanks, Robert — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: @.>
@chris200712 - That was a question for the folks on the volatility team ;-)
Got ir
Sent from my iPhone
On Feb 14, 2022, at 8:41 PM, robertstrom @.***> wrote:
Thank you guys. No there is not On Monday, February 14, 2022, 08:00:34 PM GMT+1, robertstrom @.> wrote: Hello, Just touching base to see if there is anything else needed from me to help determine what the issue is / help get it fixed. Thanks, Robert — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: @.>
@chris200712 - That was a question for the folks on the volatility team ;-)
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.
@robertstrom can you please run pslist with the verbose flags set and send the output?
@atcuno - here are two runs, one successful and one not. These are the log files produced with the -l argument. Let me know if you need some other output.
Basic command line used was:
/home/rstrom/volatility3/vol.py -vvvvvv -l /home/rstrom/U-3586225_volatility_pstree_2022-02-23.log -f /mnt/data/memoryimages/U-3586225_20220204073104.raw windows.pstree.PsTree
U-3586225_volatility_pstree_2022-02-23.log U-8323985_pstree_2022-02-23.log
Strange thing is that the one that is working now did not work in the past. Please note that I have been asked to update volatility twice in other troubleshooting. Once by you and once by @ikelos (this one being the latest pertaining to an issue with the timeliner plugin).
HTH,
Robert
UPDATE / FYI - Just downloaded and ran Volatility 3 Framework 2.0.3 on a Windows 10 image and I am still seeing errors with PSTREE. I believe that everything else is OK (still waiting for full results and to look over all files). The resultsing PSTree CSV file is empty except for the header. Here are the results running volatility with -vvvvv
The PSScan results are there and look fine. It sees all the PIDS and PPIDS so I don't understand why PSTree doesn't work. All the data seems to be there. One thing of note, the PSScan file show that all processes are at TreeDepth 0. That doesn't seem correct.
Let me know what else you need and I'll be happy to do any testing. For me, PSTree is one of the most useful plugins / views.
Thanks,
Robert
rstrom@linux-mint-vm:~/volatility-output$ /home/rstrom/volatility3/vol.py -vvvvvv -f /mnt/data/memoryimages/1PIANE1EB_memory.raw windows.pstree.PsTree
Volatility 3 Framework 2.0.3
INFO volatility3.cli: Volatility plugins path: ['/home/rstrom/volatility3/volatility3/plugins', '/home/rstrom/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/rstrom/volatility3/volatility3/symbols', '/home/rstrom/volatility3/volatility3/framework/symbols']
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/plugins, /home/rstrom/volatility3/volatility3/framework/plugins
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/automagic
Level 7 volatility3.cli: Cache directory used: /home/rstrom/.cache/volatility3
INFO volatility3.framework.automagic: Detected a windows category plugin
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility3.framework.automagic: Running automagic: SymbolBannerCache
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000
Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name.memory_layer
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/rstrom/volatility3/volatility3/framework/layers
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80119000000
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/rstrom/volatility3/volatility3/symbols, /home/rstrom/volatility3/volatility3/framework/symbols
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/118018959D8D7CA5AAB45B75AED5A976-1
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
DEBUG volatility3.cli: Traceback (most recent call last):
File "/home/rstrom/volatility3/volatility3/cli/__init__.py", line 343, in run
renderers[args.renderer]().render(constructed.run())
File "/home/rstrom/volatility3/volatility3/cli/text_renderer.py", line 177, in render
grid.populate(visitor, outfd)
File "/home/rstrom/volatility3/volatility3/framework/renderers/__init__.py", line 212, in populate
for (level, item) in self._generator:
File "/home/rstrom/volatility3/volatility3/framework/plugins/windows/pstree.py", line 71, in _generator
self._processes[proc.UniqueProcessId] = proc, offset
File "/home/rstrom/volatility3/volatility3/framework/objects/__init__.py", line 764, in __getattr__
member = template(context = self._context, object_info = object_info)
File "/home/rstrom/volatility3/volatility3/framework/objects/templates.py", line 72, in __call__
return self.vol.object_class(context = context, object_info = object_info, **arguments)
File "/home/rstrom/volatility3/volatility3/framework/objects/__init__.py", line 122, in __new__
value = cls._unmarshall(context, data_format, object_info)
File "/home/rstrom/volatility3/volatility3/framework/objects/__init__.py", line 314, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, length)
File "/home/rstrom/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read
return self[layer].read(offset, length, pad)
File "/home/rstrom/volatility3/volatility3/framework/layers/linear.py", line 37, in read
for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 203, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(offset, length, ignore_errors):
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 247, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 373, in _translate
return self._translate_swap(self, offset, self._bits_per_register // 2)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 326, in _translate_swap
return super()._translate(offset)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 105, in _translate
entry, position = self._translate_entry(offset)
File "/home/rstrom/volatility3/volatility3/framework/layers/intel.py", line 154, in _translate_entry
raise exceptions.PagedInvalidAddressException(self.name, offset, position + 1, entry,
volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x70156063 in table page table
Volatility was unable to read a requested page:
Page error 0xfffffffffff8 in layer layer_name (Page Fault at entry 0x70156063 in table page table)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility3 (re-run with -vvv and file a bug)
No further results will be produced
This issue is stale because it has been open for 200 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been inactive for 60 days since being marked as stale.