volatilityfoundation
Volatility was not able to analyse memory dumps created from Windows 11 machine
Describe the bug
I have created a memory dump of my system running with Windows 11 using MagnetRamCapture/Dumpit and tried to fetch pslist from the dump using Volatility3 but unfortunatley it was failing with error - Unable to validate the plugin requirements: ['plugins.PsList.kernel.symbol_table_name']
Context Volatility Version: 2.26.2 Operating System: Windows 11 23H2 Python Version: 3.10.8 Suspected Operating System: Windows 11 23H2 Command: windows.pslist
To Reproduce
- Capture a memory dump of Windows 11 machine using Magnet Ram Capture or DumpIt
- Run Volatility with any of the plugins like windows.pslist for the dump.
- Error as follows,
PS C:\source\volatility3> python vol.py -v --clear-cache -f mydump.raw windows.pslist Volatility 3 Framework 2.26.2 INFO volatility3.cli: Volatility plugins path: ['C:\source\volatility3\volatility3\plugins', 'C:\source\volatility3\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['C:\source\volatility3\volatility3\symbols', 'C:\source\volatility3\volatility3\framework\symbols'] INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.cachedump, volatility3.plugins.windows.direct_system_calls, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.indirect_system_calls, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.registry.cachedump, volatility3.plugins.windows.registry.hashdump, volatility3.plugins.windows.registry.lsadump, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:
A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.kernel.symbol_table_name']
Expected behavior I would expect volatility to analyze the dump and share me results per given plugin.
Example output
Please copy and paste the text demonstrating the issue, ideally with verbose output turned on (vol.py -vvv ...).
Text is preferred to screenshots for searching and to talk about specific parts of the output.
Additional information This is executing well if I'm using a dump generated from Windows 10 machine.
Could you share a full log with -vvvvv please. E.g. lots of verbose flags not just one.
Is it by any chance using the new compressed format they offer? https://github.com/volatilityfoundation/volatility3/issues/1325
PS C:\source\volatility3> python .\vol.py -vvvvv -f C:\Work\PCI_Phase_2\WP\emv_sale_host.raw windows.pslist Volatility 3 Framework 2.26.2 INFO volatility3.cli: Volatility plugins path: ['C:\source\volatility3\volatility3\plugins', 'C:\source\volatility3\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['C:\source\volatility3\volatility3\symbols', 'C:\source\volatility3\volatility3\framework\symbols']
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.registry.lsadump based on file: C:\source\volatility3\volatility3\framework\plugins\windows\registry\lsadump.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.cachedump, volatility3.plugins.windows.direct_system_calls, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.indirect_system_calls, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.registry.cachedump, volatility3.plugins.windows.registry.hashdump, volatility3.plugins.windows.registry.lsadump, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan DETAIL 3 volatility3.cli: Cache directory used: C:\Users\vc185093\AppData\Roaming\volatility3 INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler DETAIL 2 volatility3.framework.automagic.symbol_cache: Identified file:///C:/source/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/F7A650706A45CBE2B2673DE5EE5111D1-1.json.xz as b'ntkrnlmp.pdb|F7A650706A45CBE2B2673DE5EE5111D1|1' INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ae000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ae000 DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 35961962495 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf80124800000 DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:
A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.kernel.symbol_table_name']
Thanks for this, it looks like vol is finding most of the bits it needs but is still failing. I'm not clear why at the moment, hopefully someone else will spot it. is it possible you could share the sample?
Thanks for this, it looks like vol is finding most of the bits it needs but is still failing. I'm not clear why at the moment, hopefully someone else will spot it is it possible you could share the sample?
Unfortunately I cannot share the dump file we discarded them yesterday since they are not useful. Probably you can easily reproduce it by just capturing memory dump of any win 11 machine via magnet ram capture and analyse it via volatility.
Thanks, good to know. Having deleted it might make any bug fixes difficult to test. Let's see if the core devs can spot the problem.
I am also facing the same issue. Volatility is not processing Windows 11 23H2. By when can we expect a path or an update on this issue ?
@QXJ6YW4 are you able to make an issue with the logs required for debugging? That'll allow someone to properly diagnose the issue with your sample.