volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

airgapped machine does not work with download zip file symbols

Open fpusersuggest opened this issue 4 years ago • 2 comments

Describe the bug I have a volatility3 zip file downloaded into an airgapped macchine but volatility doesn't find the symbols zip file

Context Volatility Version: 1.0.1 Operating System: linux ubuntu Python Version: 3.8.5 Suspected Operating System: windows10
Command: ./vol.py -f myimage windows.pslist.PsList

To Reproduce Steps to reproduce the behavior: I downloaded volatility3 zip file and the windows.zip file from the infected machine and I copied all to the airgapped machine. i copied the symbols file into the volatility3/symbols directory. I have also tried to create a new directory, copied the zip file and used the -s mytestdirectory but does not work

If I use -v flag I see the follwoing message in the debug log: python3 ./pdbconv.py -p ntkrnlmp.pdb -g F923DA2D238E7C7CE180B962B19A37811 I tried to run it but doesnt work because python need volatility3 installed ad system wide way-

fpusersuggest avatar May 20 '21 03:05 fpusersuggest

Hello, I tried also in the following way:

myuser@mypc8:~/tmp/volatility3$ PYTHONPATH="." python3 volatility3/framework/symbols/windows/pdbconv.py -p ntkrnlmp.pdb -g F923DA2D238E7C7CE180B962B19A37811
Traceback (most recent call last):wnloading http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/F923DA2D238E7C7CE180B962B19A37811/ntkrnlmp.pdb
  File "volatility3/framework/symbols/windows/pdbconv.py", line 1025, in <module>
    convertor = PdbReader(ctx, location, database_name = args.pattern, progress_callback = pg_cb)
  File "volatility3/framework/symbols/windows/pdbconv.py", line 267, in __init__
    self._layer_name, self._context = self.load_pdb_layer(context, location)
  File "volatility3/framework/symbols/windows/pdbconv.py", line 317, in load_pdb_layer
    msf_layer.read_streams()
  File "/home/myuser/tmp/volatility3/volatility3/framework/layers/msf.py", line 67, in read_streams
    [x for x in root_pages])
  File "/home/myuser/tmp/volatility3/volatility3/framework/layers/msf.py", line 67, in <listcomp>
    [x for x in root_pages])
  File "/usr/lib/python3.8/_collections_abc.py", line 874, in __iter__
    v = self[i]
  File "/home/myuser/tmp/volatility3/volatility3/framework/objects/__init__.py", line 617, in __getitem__
    result += [self.vol.subtype(context = self._context, object_info = object_info)]
  File "/home/myuser/tmp/volatility3/volatility3/framework/objects/templates.py", line 72, in __call__
    return self.vol.object_class(context = context, object_info = object_info, **arguments)
  File "/home/myuser/tmp/volatility3/volatility3/framework/objects/__init__.py", line 121, in __new__
    value = cls._unmarshall(context, data_format, object_info)
  File "/home/myuser/tmp/volatility3/volatility3/framework/objects/__init__.py", line 143, in _unmarshall
    data = context.layers.read(object_info.layer_name, object_info.offset, data_format.length)
  File "/home/myuser/tmp/volatility3/volatility3/framework/interfaces/layers.py", line 551, in read
    return self[layer].read(offset, length, pad)
  File "/home/myuser/tmp/volatility3/volatility3/framework/layers/linear.py", line 47, in read
    output += [self._context.layers.read(layer, mapped_offset, mapped_length, pad)]
  File "/home/myuser/tmp/volatility3/volatility3/framework/interfaces/layers.py", line 551, in read
    return self[layer].read(offset, length, pad)
  File "/home/myuser/tmp/volatility3/volatility3/framework/layers/linear.py", line 47, in read
    output += [self._context.layers.read(layer, mapped_offset, mapped_length, pad)]
  File "/home/myuser/tmp/volatility3/volatility3/framework/interfaces/layers.py", line 551, in read
    return self[layer].read(offset, length, pad)
  File "/home/myuser/tmp/volatility3/volatility3/framework/layers/physical.py", line 143, in read
    raise exceptions.InvalidAddressException(self.name, invalid_address,
volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries

fpusersuggest avatar May 20 '21 18:05 fpusersuggest

Hi there, it sounds as though the windows.zip file doesn't contain the JSON file you need? Please note that for windows JSON files, the filename and directory that it lives in within the symbols directory is important. In this instance, it will look for a file in volatility/symbols/windows/ntkrnlmp.pdb/F923DA2D238E7C7CE180B962B19A3781-1.json (or .json.xz). Within the zipfile, the JSON must also be in a directory called ntkrnlmp.pdb with the correct filename. You can see which symbols volatility is able to load using the isfinfo plugin.

ikelos avatar May 23 '21 15:05 ikelos

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Oct 26 '23 01:10 github-actions[bot]

This issue was closed because it has been inactive for 60 days since being marked as stale.

github-actions[bot] avatar Dec 25 '23 01:12 github-actions[bot]