volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Can't process a Windows 10 64bit Crash Dump

Open sluke-nuix opened this issue 1 year ago • 10 comments

Describe the bug I am trying to analyze a memory DMP file generated from Microsoft's 'NotMyFault' tool, but it consistently fails with:

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

Context Volatility Version: Volatility 3 Framework 2.7.0 Operating System: Windows 10 x64 Python Version: Python 3.12.0 Suspected Operating System: Windows 10 x64 (same computer) Command: vol.py windows.info and vol.py windows.pslist

To Reproduce Steps to reproduce the behavior:

warning This will actually cause a bluescreen / crash. Don't do it until you are ready!! Generate a Windows Crash Dump with the Sysinternals NotMyFault tool (https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault). Then follow the below commands:

  1. Use command %py_cmd% vol.py -vvvvvvv -f C:\projects\aaaa\bbbbb\MEMORY.DMP windows.info
  2. See described above.

Expected behavior For windows.info, I would expect a formatted output describing the memory dump file. For windows.pslist I would expect there to be a process list table.

Example output

The is the file type:

> file C:/projects/aaaa/bbbbb/MEMORY.DMP
C:/projects/aaaa/bbbbb/MEMORY.DMP: MS Windows 64bit crash dump, version 15.22000, 20 processors, kernel dump, 4992030524978970960 pages

I know from other questions here that minidumps aren't supported. The website says crashdumps are: The FAQ 

I also already have the symbols for Windows:

> tree .\volatility3\symbols
Folder PATH listing for volume OS
Volume serial number is 18BA-94DA
C:\DevRepo\bbbbb\CODE\VOLATILITY3\VOLATILITY3\SYMBOLS
├───windows
│   ├───ntkrnlmp.pdb
│   └───windows
│       ├───ntkrnlmp.pdb
│       ├───ntkrnlpa.pdb
│       ├───ntkrpamp.pdb
│       └───ntoskrnl.pdb
└───__pycache__

When I run the command I get this output:

> %py_cmd% vol.py -vvvvvvv -f C:\projects\aaaa\bbbbb\MEMORY.DMP windows.info
Volatility 3 Framework 2.7.0
INFO     volatility3.cli: Volatility plugins path: ['C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\plugins', 'C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\symbols', 'C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\plugins, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sluke01\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a windows category plugin
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\DevRepo\bbbbb\code\volatility3\volatility3\symbols, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler, LeechCoreHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\DevRepo\bbbbb\code\volatility3\volatility3\symbols, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\DevRepo\bbbbb\code\volatility3\volatility3\symbols, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.layers.crash: unsupported dump format 0x6
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

Additional information If I run the same command using a .raw file generated from winpmem I get appropriate outputs for both windows.info and windows.pslist.

sluke-nuix avatar Mar 11 '24 21:03 sluke-nuix

A few extra comments:

  • The DMP file is initially un-readable by normal users, but before running these tests I ensured it was read/writable by the user running the test
  • The tests were also run with the command line launched with admin permissions with no difference

sluke-nuix avatar Mar 11 '24 21:03 sluke-nuix

Hi, volatility 3 doesn't read pdb files directly, they need converting into JSON, but volatility should have found a windows signature and generated it automatically if you were providing a raw memory file. Instead, you appear to have provided a MS Windows 64bit crash dump which apparently our crashdump reader can't handle. We do support the crashdump format, but only specific dump types (ie, not partial dumps, only complete memory dumps).

Apparently we currently suppress Format exceptions, rather than reporting on them (which isn't right), but my guess would be that your crashdump file isn't the right format...

ikelos avatar Mar 11 '24 21:03 ikelos

I've just pushed a new commit (9edf33b7) that should improve debugging output with -vvvvvvv to tell you why the crashdump format isn't supported.

ikelos avatar Mar 11 '24 21:03 ikelos

volatility 3 doesn't read pdb files directly, they need converting into JSON

Sorry, I guess the tree command isn't clear here. It actually lists only the directories, under the .pdb directories are all the .json files that were generated: it was a long list of json files so I didn't want to spam the text with something that listed them (which is why I used tree instead of dir /s.

I will try the new version to see if it is clearer. Thanks.

sluke-nuix avatar Mar 11 '24 21:03 sluke-nuix

New (partial) log output:

First, during processing I get lots of lines like this: Level 8 volatility3.framework.automagic.symbol_cache: Identified file:///C:/DevRepo/bbbbb/code/volatility3/volatility3/symbols/windows/windows/ntkrnlpa.pdb/E086B943FAE142BEBD7E5F280ADF1458-5.json.xz as b'ntkrnlpa.pdb|E086B943FAE142BEBD7E5F280ADF1458|5'

With occasional lines like this: Level 6 volatility3.framework.automagic.symbol_cache: No identifier found for file:///C:/DevRepo/bbbbb/code/volatility3/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json

Below is the interesting part:

INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 7  volatility3.framework.automagic.stacker: Exception during stacking: catching classes that do not inherit from BaseException is not allowed
Level 6  volatility3.framework.automagic.stacker: Traceback (most recent call last):

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 265, in stack
    layer.check_header(context.layers[layer_name])

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 232, in check_header
    raise WindowsCrashDumpFormatException(

volatility3.framework.layers.crash.WindowsCrashDumpFormatException: Invalid dump 0x34365544 at file offset 0x0


During handling of the above exception, another exception occurred:


Traceback (most recent call last):

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\automagic\stacker.py", line 216, in stack_layer
    new_layer = stacker.stack(context, initial_layer, progress_callback)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 271, in stack
    except (WindowsCrashDump32Layer, WindowsCrashDump64Layer) as excp:

TypeError: catching classes that do not inherit from BaseException is not allowed

Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

I guess the important parts are the Bad magic 0x45474150 at file offset 0x0 and Invalid dump 0x34365544 at file offset 0x0. But also interesting is the part that follows: TypeError: catching classes that do not inherit from BaseException is not allowed.

Still, that isn't pertinent to this. I guess the "Invalid dump" supports your statement that this is a non-supported dump file, and I will have to use a different means to generate it. Thanks.

sluke-nuix avatar Mar 11 '24 21:03 sluke-nuix

Sorry, some of that was a slight mistake on my part, you should probably give it another go, the error above was likely from attempting to stack the 32-bit crash dump layer (which expects the start bytes to be DUMP). It should've gotten past that but my mistake made it throw an error. The actual header is DU64, which we are supposed to support, so that's probably not where the problem lies...

ikelos avatar Mar 12 '24 00:03 ikelos

Commit 8dbc64f4 should function better (and hopefully will tell you why it's not happy) (the "bad magic" messages are from the Elf and XenCore stackers, so can be safely ignored.

ikelos avatar Mar 12 '24 00:03 ikelos

here is the latest results (cutting to after the JSON file parsing):

INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 6  volatility3.framework.layers.crash: Exception reading crashdump: Invalid dump 0x34365544 at file offset 0x0
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\projects\aaaa\bbbbb\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\projects\aaaa\bbbbb\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.layers.crash: unsupported dump format 0x6
Level 6  volatility3.framework.layers.crash: Exception reading crashdump: unsupported dump format 0x6
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

Where we see

Level 6  volatility3.framework.layers.crash: unsupported dump format 0x6
Level 6  volatility3.framework.layers.crash: Exception reading crashdump: unsupported dump format 0x6

sluke-nuix avatar Mar 12 '24 21:03 sluke-nuix

Yep, this is just a partial crashdump, as indicated by unsupported dump format 0x6. Volatility doesn't support partial crashdumps because we can't know what has and hasn't been included. There is a pull request #656 that might be able to get you further because it accepts dump type 0x06 but as I say, a partial memory dump will likely lead to a lot of open bugs that we simply can't help with...

ikelos avatar Mar 13 '24 20:03 ikelos