oswatcher icon indicating copy to clipboard operation
oswatcher copied to clipboard

Published 20 hours ago verified publisher icon Wenzel

Volatility fails to extract SSDT on Windows XP guest

Open Wenzel opened this issue 5 years ago • 1 comments

OSWatcher log file is in this Gist

Important part:

2020-04-04 19:07:17,038 DEBUG:volatility.framework.automagic.pdbscan:Using symbol library: ntkrpamp.pdb/C40DD53A8D3D4AE3A24CE6BE866649C9-1
2020-04-04 19:07:17,068 INFO:volatility.schemas:Dependency for validation unavailable: jsonschema
2020-04-04 19:07:17,068 DEBUG:volatility.schemas:All validations will report success, even with malformed input
2020-04-04 19:07:17,069 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None
2020-04-04 19:07:17,069 WARNING:volatility.framework.plugins:Automagic exception occurred: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD
WARNING  volatility.framework.plugins: Automagic exception occurred: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD
2020-04-04 19:07:17,069 Level 9:volatility.framework.plugins:Traceback (most recent call last):
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/__init__.py", line 129, in run
    automagic(context, config_path, requirement, progress_callback)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/pdbscan.py", line 481, in __call__
    self.recurse_symbol_fulfiller(context, valid_kernels, progress_callback)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/pdbscan.py", line 224, in recurse_symbol_fulfiller
    requirement.construct(context, config_path)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/configuration/requirements.py", line 363, in construct
    obj = self._construct_class(context, config_path, args)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/interfaces/configuration.py", line 565, in _construct_class
    obj = cls(**requirement_dict)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/windows/__init__.py", line 17, in __init__
    self.set_type_class('_ETHREAD', extensions.ETHREAD)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/intermed.py", line 55, in _delegate_function
    return getattr(self._delegate, name)(*args, **kwargs)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/intermed.py", line 339, in set_type_class
    raise ValueError("Symbol type not in {} SymbolTable: {}".format(self.name, name))
ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD

Windows XP Dump is available on Google Drive

Wenzel avatar Apr 04 '20 17:04 Wenzel

Issue is opened on volatility3 repo: https://github.com/volatilityfoundation/volatility3/issues/242

Wenzel avatar Jun 30 '20 19:06 Wenzel