gleeda (Jamie Levy)
gleeda (Jamie Levy)
This is the config file: ``` $ cat config.json { "primary.class": "volatility.framework.layers.intel.WindowsIntel32e", "primary.kernel_virtual_offset": 18446735301106831360, "primary.memory_layer.class": "volatility.framework.layers.physical.FileLayer", "primary.memory_layer.location": "file:///path/to/memory.raw", "primary.page_map_offset": 1757186, "nt_symbols.class": "volatility.framework.symbols.windows.WindowsKernelIntermedSymbols", "nt_symbols.isf_url":"file:///Users/gleeda/Work/DEV/volatility3/new_symbols.json" } ``` And these values work with...
Yes that's it (1e415dbbdea9d46314247970052306d9). Did you use the same config file?
Here's a copy of the ntoskrnl.exe, pdb, and `new_symbols.json` from that memory sample. [items.zip](https://github.com/volatilityfoundation/volatility3/files/5783326/items.zip)
I just confirmed that this works with that config file I copied into a comment earlier, and the `new_symbols.json` file: ``` $ git checkout 0c43beb42d3f1d7e3c7ac6ccb97c8f95c438042f $ python3 vol.py -c config.json...
I had the same issue and was about to issue a pull request. It might be good to make it more universal by first checking if you have the `tostring`...
you should see one of the following when doing `python vol.py --info`: ``` MacYosemite_10_10_3_14D131x64 - A Profile for Mac Yosemite_10.10.3_14D131 x64 MacYosemite_10_10_3_14D136x64 - A Profile for Mac Yosemite_10.10.3_14D136 x64 ```...
(also make sure you are running the same `vol.py` where you put the profile, just in case you are not running it from within the same folder)
@cybercuffs did you try running it from the `volatility-2.4` folder ?
So there's an issue with your config file. First the LOCATION variable is for the memory sample, not plugins. Second, the path has to have a `file://` prefix. Therefore you...
Is this still an issue?