volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Windows Server VMEM - Unable to parse

Open lcfut opened this issue 3 years ago • 6 comments

Describe the bug A clear and concise description of what the bug is. vCenter suspended the VM. Downloaded the VMEM file (12gb) and attempted to use Volatility version 2 and 3 Unable to parse any data with either version

Context Volatility Version: 3 Operating System: SANS SIFT VM Python Version: 3.8.5 Suspected Operating System: Windows Server Command:
$ ./vol.py -f /mnt/hgfs/Documents/servername-e52bf066.vmem windows.info OR $ ./vol.py -f /mnt/hgfs/Documents/servername-e52bf066.vmem windows.pslist

To Reproduce Steps to reproduce the behavior:

  1. Use command '...'
  2. See error Downloaded tar.gz file for volatility3 Downloaded "windows.zip" symbols file and placed in volatility3/symbols/ folder Ran commands listed above

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Error messages here: (same error for both commands) Volatility 3 Framework 1.0.0 Progress: 100.00 PDB scanning finished
Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled. Please verify that: You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.nt_symbols']

Command showing symbols file exists: $ ll volatility3/symbols/ total 820068 drwxrwxr-x 3 sansforensics sansforensics 4096 Jul 13 23:33 ./ drwxrwxr-x 8 sansforensics sansforensics 4096 Jul 13 23:20 ../ -rw-rw-r-- 1 sansforensics sansforensics 415 Feb 1 2021 init.py drwxrwxr-x 2 sansforensics sansforensics 4096 Jul 13 23:20 pycache/ -rwxrw-rw- 1 sansforensics sansforensics 839727133 Jul 13 23:33 windows.zip* sansforensics@siftworkstation: /cases/volatility3-1.0.0

Additional information Add any other information about the problem here.

lcfut avatar Jul 13 '22 23:07 lcfut

Thanks, please can you provide the output of running the command with -vvv after vol.py? This gives more information which will help us debug what the issue may be. For vmware files, in particular an additional file (vmsn or vmss) can be needed as well as the vmem file. The -vvv output should help us figure it out though...

ikelos avatar Jul 14 '22 00:07 ikelos

See the requested output below:

$ ./vol.py -vvv -f /mnt/hgfs/Documents/servername-e52bf066.vmem windows.info Volatility 3 Framework 1.0.0 INFO root : Volatility plugins path: ['/cases/volatility3-1.0.0/volatility3/plugins', '/cases/volatility3-1.0.0/volatility3/framework/plugins'] INFO root : Volatility symbols path: ['/cases/volatility3-1.0.0/volatility3/symbols', '/cases/volatility3-1.0.0/volatility3/framework/symbols'] INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.primary Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols DEBUG volatility3.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary.memory_layer Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: WintelHelper INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf800022ba000 INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols

Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled. Please verify that: You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.nt_symbols'] sansforensics@siftworkstation: /cases/volatility3-1.0.0

lcfut avatar Jul 14 '22 00:07 lcfut

Hmmmm, ok. So this is a fairly old version of volatility 3, so it doesn't include some of the debug output about the vmware layers, and it also won't have the latest heuristics for finding windows images. It's found the an intel layer and the DTB value (DTB was found at: 0x1ad000) looks right for windows. It can't then identify the version of windows unfortunately.

I'd highly recommend getting a copy of the latest version of volatility (git checkout https://github.com/volatilityfoundation/volatility3) and then seeing if that can handle the image any better. If it still fails, providing the output with -vvv from that might help offer more possible solutions...

ikelos avatar Jul 14 '22 00:07 ikelos

I used the "git clone" command and re-ran the line. I copied over the 'windows.zip' file into the 'symbols' folder Here is the new output

python3 vol.py -vvv -f /mnt/hgfs/Documents/servername-e52bf066.vmem windows.info Volatility 3 Framework 2.3.0 INFO volatility3.cli: Volatility plugins path: ['/cases/volatility3-develop/volatility3/plugins', '/cases/volatility3-develop/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/cases/volatility3-develop/volatility3/symbols', '/cases/volatility3-develop/volatility3/framework/symbols'] INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info INFO volatility3.framework.automagic: Running automagic: SymbolBannerCache INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: Max pointer for hit with test DtbSelfRef64bit not met: 0x33ffffa00 > 0x2ffffffff DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name: Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled. Please verify that: A file was provided to create this layer (by -f, --single-location or by config) The file exists and is readable The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name'] sansforensics@siftworkstation: /cases/volatility3-develop

lcfut avatar Jul 14 '22 00:07 lcfut

You mentioned in an earlier comment the need for the VMSS file. I have that file, but I don't see a way to include it in the command.

lcfut avatar Jul 15 '22 12:07 lcfut

This was solved.

Once I placed the VMSS file in the same directory as the VMEM file, then the commands started working. I did not need to make any adjustments to the command itself, I just needed the second file present in the same folder.

I would recommend updating the documentation to include this as an example situation when analyzing memory files from virtual machines. I did not see a reference when I looked in the "read the docs" page.

Thank you again for all your hard work and contributions to the community!

lcfut avatar Jul 19 '22 13:07 lcfut

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Aug 20 '23 01:08 github-actions[bot]