volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

EOFError: Compressed file ended before the end-of-stream marker was reached

Open lic-8 opened this issue 3 years ago • 1 comments

I have run the folliwing plugins on a simple image: info, pslist, cmdline, hashdump, netstat, netscan, psscan, sessions, malfind. Only pslist worked. The others all gave this error. My memory image file is totally good because it has worked hundreds of times before.

Logs for netstat (the others are the same):

22-08-03 09:20:21 volatility3.cli INFO     Logging started
22-08-03 09:20:21 volatility3.cli INFO     Volatility plugins path: ['C:\\Users\\user\\Downloads\\volatility3-stable\\volatility3\\plugins', 'C:\\Users\\user\\Downloads\\volatility3-stable\\volatility3\\framework\\plugins']
22-08-03 09:20:21 volatility3.cli INFO     Volatility symbols path: ['C:\\Users\\user\\Downloads\\volatility3-stable\\volatility3\\symbols', 'C:\\Users\\user\\Downloads\\volatility3-stable\\volatility3\\framework\\symbols']
22-08-03 09:20:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\plugins, C:\Users\user\Downloads\volatility3-stable\volatility3\framework\plugins
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\automagic
22-08-03 09:20:22 volatility3.cli Level 7  Cache directory used: C:\Users\user\.cache\volatility3
22-08-03 09:20:22 volatility3.framework.automagic INFO     Detected a windows category plugin
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.automagic INFO     Running automagic: ConstructionMagic
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel.layer_name
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel.layer_name
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel.layer_name
22-08-03 09:20:22 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:22 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:22 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.automagic INFO     Running automagic: LayerStacker
22-08-03 09:20:22 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:22 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:22 volatility3.framework.layers.resources Level 7  Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using AVMLStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using Elf64Stacker
22-08-03 09:20:23 volatility3.framework.layers.elf Level 6  Exception: Bad magic 0x0 at file offset 0x0
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using LimeStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using QemuStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using WindowsCrashDumpStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using VmwareStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using WindowsIntelStacker
22-08-03 09:20:23 volatility3.framework.automagic.windows DEBUG    Detecting Self-referential pointer for recent windows
22-08-03 09:20:23 volatility3.framework.automagic.windows DEBUG    DtbSelfRef64bit test succeeded at 0x187000
22-08-03 09:20:23 volatility3.framework.automagic.windows DEBUG    DTB was found at: 0x187000
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Stacked IntelLayer using WindowsIntelStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using AVMLStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using Elf64Stacker
22-08-03 09:20:23 volatility3.framework.layers.elf Level 6  Exception: Offset 0x0 does not exist within the base layer
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using LimeStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using QemuStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using WindowsCrashDumpStacker
22-08-03 09:20:23 volatility3.framework.automagic.stacker Level 8  Attempting to stack using VmwareStacker
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel.layer_name
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel.layer_name
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel.layer_name.memory_layer
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_virtual_offset requirements only accept int type: None
22-08-03 09:20:23 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_virtual_offset requirements only accept int type: None
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_banner requirements only accept str type: None
22-08-03 09:20:23 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_banner requirements only accept str type: None
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:23 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetScan
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework Level 6  Importing from the following paths: C:\Users\user\Downloads\volatility3-stable\volatility3\framework\layers
22-08-03 09:20:23 volatility3.framework.automagic.stacker DEBUG    Stacked layers: ['IntelLayer', 'FileLayer']
22-08-03 09:20:23 volatility3.framework.automagic INFO     Running automagic: WinSwapLayers
22-08-03 09:20:23 volatility3.framework.automagic INFO     Running automagic: KernelPDBScanner
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:23 volatility3.framework.automagic.pdbscan DEBUG    Kernel base determination - searching layer module list structure
22-08-03 09:20:23 volatility3.framework.automagic.pdbscan DEBUG    Setting kernel_virtual_offset to 0xf80002655000
22-08-03 09:20:23 volatility3.framework.symbols.intermed Level 6  Searching for symbols in C:\Users\user\Downloads\volatility3-stable\volatility3\symbols, C:\Users\user\Downloads\volatility3-stable\volatility3\framework\symbols
22-08-03 09:20:23 volatility3.framework.symbols.windows.pdbutil DEBUG    Using symbol library: ntkrnlmp.pdb\3844DBB920174967BE7AA4A2C20430FA-2
22-08-03 09:20:23 volatility3.framework.automagic INFO     Running automagic: KernelModule
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetScan.kernel.symbol_table_name
22-08-03 09:20:23 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetScan.kernel
22-08-03 09:20:23 volatility3.framework.plugins WARNING  Automagic exception occurred: EOFError: Compressed file ended before the end-of-stream marker was reached
22-08-03 09:20:23 volatility3.framework.plugins Level 9  Traceback (most recent call last):
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\automagic\__init__.py", line 133, in run
    automagic(context, config_path, requirement, progress_callback)
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\automagic\pdbscan.py", line 335, in __call__
    self.recurse_symbol_fulfiller(context, valid_kernel, progress_callback)
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\automagic\pdbscan.py", line 110, in recurse_symbol_fulfiller
    progress_callback = progress_callback)
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\symbols\windows\pdbutil.py", line 106, in load_windows_symbol_table
    requirement.construct(context, parent_config_path)
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\configuration\requirements.py", line 376, in construct
    obj = self._construct_class(context, config_path, args)
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\interfaces\configuration.py", line 600, in _construct_class
    obj = cls(**requirement_dict)
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\symbols\windows\__init__.py", line 13, in __init__
    super().__init__(*args, **kwargs)
  File "C:\Users\user\Downloads\volatility3-stable\volatility3\framework\symbols\intermed.py", line 107, in __init__
    json_object = json.load(reader(fp))  # type: ignore
  File "C:\Users\user\AppData\Local\Programs\Python\Python37\lib\json\__init__.py", line 293, in load
    return loads(fp.read(),
  File "C:\Users\user\AppData\Local\Programs\Python\Python37\lib\codecs.py", line 496, in read
    newdata = self.stream.read()
  File "C:\Users\user\AppData\Local\Programs\Python\Python37\lib\lzma.py", line 200, in read
    return self._buffer.read(size)
  File "C:\Users\user\AppData\Local\Programs\Python\Python37\lib\_compression.py", line 99, in read
    raise EOFError("Compressed file ended before the "
EOFError: Compressed file ended before the end-of-stream marker was reached

lic-8 avatar Aug 03 '22 08:08 lic-8

Hi there, please could you check for a symbol file called ntkrnlmp.pdb\3844DBB920174967BE7AA4A2C20430FA-2.json.xz and verify that it is a valid .xz file? Please also try running with the --clear-cache option in case your cache has become corrupted in some way. It would also be useful to have included the first line of the output, so we know which version of volatility was in use at the time.

Once you've tried those let us know and we can look into it further if that's still an issue.

ikelos avatar Aug 03 '22 10:08 ikelos

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Aug 19 '23 01:08 github-actions[bot]

This issue was closed because it has been inactive for 60 days since being marked as stale.

github-actions[bot] avatar Oct 18 '23 01:10 github-actions[bot]