volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

A symbol table requirement was not fulfilled

Open snowcapcyber opened this issue 10 months ago • 5 comments

I am trying to analyse a Windows 10 Enterprise 22H2 (19045-5371) and I am getting the following error messages: Volatility 3 Framework 2.8.0 Progress: 100.00 PDB scanning finished Unsatisfied requirement plugins.Lsadump.kernel.symbol_table_name: A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner Unable to validate the plugin requirements: ['plugins.Lsadump.kernel.symbol_table_name']

snowcapcyber avatar Feb 12 '25 15:02 snowcapcyber

Helllo,

We need much more information to diagnose the issue.

  1. How was memory acquired?

  2. Re-run volatility 3 with -vvvvvvv before the plugin name and paste the full command line input/output

  3. Are you on the latest develop commit?

atcuno avatar Feb 12 '25 15:02 atcuno

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop>git clone https://github.com/volatilityfoundation/volatility3.git Cloning into 'volatility3'... remote: Enumerating objects: 42556, done. remote: Counting objects: 100% (346/346), done. remote: Compressing objects: 100% (170/170), done. Receiving objects: 100% (42556/42556), 8.38 MiB | 4.76 MiB/s, done.d 42210 (from 3)

Resolving deltas: 100% (32744/32744), done.

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop>cd volatility3

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3>ls API_CHANGES.md doc pyproject.toml vol.py volshell.py CITATION.cff LICENSE.txt README.md vol.spec volshell.spec development MANIFEST.in test volatility3

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3>python vol.py -vvvv -f ..\raw.raw windows.verinfo.VerInfo Volatility 3 Framework 2.20.1 INFO volatility3.cli: Volatility plugins path: ['C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\plugins', 'C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\symbols', 'C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\framework\symbols'] INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000 DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name.memory_layer DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 36230397951 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf8000de00000 DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf807ca18d000 DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name

Unsatisfied requirement plugins.VerInfo.kernel.symbol_table_name:

A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.VerInfo.kernel.symbol_table_name']

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3>

snowcapcyber avatar Feb 12 '25 21:02 snowcapcyber

A little more context from slack

OS in the sample is Windows 10 Enterprise 22H2 (19045-5371)

Originally wasn't using the latest develop commit, but has tried that now and is getting the same error.

The machine should have 32GB of raw, which matches the size in the logs.

The collection was done with winpmem.

Is trying another image to see if that works. I've also suggested trying surge or dumpit for the collection. To rule out a winpmem issue.

eve-mem avatar Feb 13 '25 08:02 eve-mem

I used dumpit to contract a memory dump and when I ran it on volatility I got the same error message.

snowcapcyber avatar Feb 20 '25 21:02 snowcapcyber

It successfully found the intel layer:

DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']

But is having trouble finding windows in that virtual layer. It's difficult to diagnose it much further unfortunately. 5:S

ikelos avatar Jul 21 '25 19:07 ikelos