volatility3
volatility3 copied to clipboard
volatilityfoundation
Vmware vmss file not handled automatically
Hi I am using Kali Linux on WSL2. I want to use volatility3 to view the dump file from the VM. No plugin works as it throws two errors at the very bottom of the provided code. I already installed all the symbol tables, but still nothing works.
I've been fighting for the third day already ... Help someone, please
┌──(tosssky㉿TossSky)-[/mnt/c/Low/volatility3]
└─$ python3 vol.py -vvvvvvv -f Target1-1dd8701f.vmss windows.info
Volatility 3 Framework 2.4.2
INFO volatility3.cli: Volatility plugins path: ['/mnt/c/Low/volatility3/volatility3/plugins', '/mnt/c/Low/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/mnt/c/Low/volatility3/volatility3/symbols', '/mnt/c/Low/volatility3/volatility3/framework/symbols']
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/plugins, /mnt/c/Low/volatility3/volatility3/framework/plugins
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/automagic
Level 7 volatility3.cli: Cache directory used: /home/tosssky/.cache/volatility3
INFO volatility3.framework.automagic: Detected a windows category plugin
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /mnt/c/Low/volatility3/volatility3/symbols, /mnt/c/Low/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /mnt/c/Low/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xbed2bed2 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6 volatility3.framework.layers.xen: Exception: Bad magic 0xbed2bed2 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayerDEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']
Hi there, the first error is kind of what causes the second. The image file you're providing isn't identified as any kind of an image. If the image were valid, and it were of a windows system, you would expect volatility's layer stacker to have found at least an intel layer. As you can see from this line (DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']) Volatility has only found the raw file.
If this is a windows vmware image, it may be worth pointing volatility at the vmem file which contains the actual memory. I don't recall whether volatility will find the extra information from a vmss or not, that may be issue #815. If the information in there is necessary, then I'd subscribe to that issue. It is on our radar, but it's a matter of finding time to implement it...
Understood thanks. I have only two .vmsd and .vmss files related to one dump (and don't have .vmem file). It turns out that it is better to use volatility ver 2.0 or can it be done somehow through volatility ver 3.0? Can you advise please. If needed, I can send you these files.
In .vmsd file:
.encoding = "UTF-8"
snapshot.lastUID = "1"
snapshot.current = "1"
snapshot0.uid = "1"
snapshot0.filename = "Target1-Snapshot1.vmsn"
snapshot0.displayName = "pre-hack"
snapshot0.type = "1"
snapshot0.createTimeHigh = "336294"
snapshot0.createTimeLow = "-1123646450"
snapshot0.numDisks = "1"
snapshot0.disk0.fileName = "Target1.vmdk"
snapshot0.disk0.node = "scsi0:0"
snapshot.numSnapshots = "1"
Hiya, at the moment only volatility 2 can handle it, but if you're able to generate example memory images in the VMSS format, then we'll have something to test against and it'll help us add support for the format to volatility 3 more quickly. 5:) It is something we'd like to support, we just don't have many samples at the moment to run tests against.
This issue is stale because it has been open for 200 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}