Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't process a Windows 10 64bit Crash Dump #1112

Open
sluke-nuix opened this issue Mar 11, 2024 · 9 comments
Open

Can't process a Windows 10 64bit Crash Dump #1112

sluke-nuix opened this issue Mar 11, 2024 · 9 comments

Comments

@sluke-nuix
Copy link

sluke-nuix commented Mar 11, 2024
edited

Describe the bug
I am trying to analyze a memory DMP file generated from Microsoft's 'NotMyFault' tool, but it consistently fails with:

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

Context
Volatility Version: Volatility 3 Framework 2.7.0
Operating System: Windows 10 x64
Python Version: Python 3.12.0
Suspected Operating System: Windows 10 x64 (same computer)
Command: vol.py windows.info and vol.py windows.pslist

To Reproduce
Steps to reproduce the behavior:

warning This will actually cause a bluescreen / crash. Don't do it until you are ready!!
Generate a Windows Crash Dump with the Sysinternals NotMyFault tool (https://learn.microsoft.com/en-us/sysinternals/downloads/notmyfault). Then follow the below commands:

  1. Use command %py_cmd% vol.py -vvvvvvv -f C:\projects\aaaa\bbbbb\MEMORY.DMP windows.info
  2. See described above.

Expected behavior
For windows.info, I would expect a formatted output describing the memory dump file. For windows.pslist I would expect there to be a process list table.

Example output

The is the file type:

> file C:/projects/aaaa/bbbbb/MEMORY.DMP
C:/projects/aaaa/bbbbb/MEMORY.DMP: MS Windows 64bit crash dump, version 15.22000, 20 processors, kernel dump, 4992030524978970960 pages

I know from other questions here that minidumps aren't supported. The website says crashdumps are: The FAQ 

I also already have the symbols for Windows:

> tree .\volatility3\symbols
Folder PATH listing for volume OS
Volume serial number is 18BA-94DA
C:\DevRepo\bbbbb\CODE\VOLATILITY3\VOLATILITY3\SYMBOLS
├───windows
│   ├───ntkrnlmp.pdb
│   └───windows
│       ├───ntkrnlmp.pdb
│       ├───ntkrnlpa.pdb
│       ├───ntkrpamp.pdb
│       └───ntoskrnl.pdb
└───__pycache__

When I run the command I get this output:

> %py_cmd% vol.py -vvvvvvv -f C:\projects\aaaa\bbbbb\MEMORY.DMP windows.info
Volatility 3 Framework 2.7.0
INFO     volatility3.cli: Volatility plugins path: ['C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\plugins', 'C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\symbols', 'C:\\DevRepo\\bbbbb\\code\\volatility3\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\plugins, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sluke01\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a windows category plugin
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\DevRepo\bbbbb\code\volatility3\volatility3\symbols, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler, LeechCoreHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\DevRepo\bbbbb\code\volatility3\volatility3\symbols, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\DevRepo\bbbbb\code\volatility3\volatility3\symbols, C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.layers.crash: unsupported dump format 0x6
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

Additional information
If I run the same command using a .raw file generated from winpmem I get appropriate outputs for both windows.info and windows.pslist.
@sluke-nuix
Copy link
Author

A few extra comments:

  • The DMP file is initially un-readable by normal users, but before running these tests I ensured it was read/writable by the user running the test
  • The tests were also run with the command line launched with admin permissions with no difference

@ikelos
Copy link
Member

ikelos commented Mar 11, 2024

Hi, volatility 3 doesn't read pdb files directly, they need converting into JSON, but volatility should have found a windows signature and generated it automatically if you were providing a raw memory file. Instead, you appear to have provided a MS Windows 64bit crash dump which apparently our crashdump reader can't handle. We do support the crashdump format, but only specific dump types (ie, not partial dumps, only complete memory dumps).

Apparently we currently suppress Format exceptions, rather than reporting on them (which isn't right), but my guess would be that your crashdump file isn't the right format...

@ikelos
Copy link
Member

ikelos commented Mar 11, 2024

I've just pushed a new commit (9edf33b7) that should improve debugging output with -vvvvvvv to tell you why the crashdump format isn't supported.

@sluke-nuix
Copy link
Author

volatility 3 doesn't read pdb files directly, they need converting into JSON

Sorry, I guess the tree command isn't clear here. It actually lists only the directories, under the .pdb directories are all the .json files that were generated: it was a long list of json files so I didn't want to spam the text with something that listed them (which is why I used tree instead of dir /s.

I will try the new version to see if it is clearer. Thanks.

@sluke-nuix
Copy link
Author

New (partial) log output:

First, during processing I get lots of lines like this:
Level 8 volatility3.framework.automagic.symbol_cache: Identified file:///C:/DevRepo/bbbbb/code/volatility3/volatility3/symbols/windows/windows/ntkrnlpa.pdb/E086B943FAE142BEBD7E5F280ADF1458-5.json.xz as b'ntkrnlpa.pdb|E086B943FAE142BEBD7E5F280ADF1458|5'

With occasional lines like this:
Level 6 volatility3.framework.automagic.symbol_cache: No identifier found for file:///C:/DevRepo/bbbbb/code/volatility3/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json

Below is the interesting part:

INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 7  volatility3.framework.automagic.stacker: Exception during stacking: catching classes that do not inherit from BaseException is not allowed
Level 6  volatility3.framework.automagic.stacker: Traceback (most recent call last):

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 265, in stack
    layer.check_header(context.layers[layer_name])

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 232, in check_header
    raise WindowsCrashDumpFormatException(

volatility3.framework.layers.crash.WindowsCrashDumpFormatException: Invalid dump 0x34365544 at file offset 0x0


During handling of the above exception, another exception occurred:


Traceback (most recent call last):

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\automagic\stacker.py", line 216, in stack_layer
    new_layer = stacker.stack(context, initial_layer, progress_callback)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "C:\DevRepo\bbbbb\code\volatility3\volatility3\framework\layers\crash.py", line 271, in stack
    except (WindowsCrashDump32Layer, WindowsCrashDump64Layer) as excp:

TypeError: catching classes that do not inherit from BaseException is not allowed

Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

I guess the important parts are the Bad magic 0x45474150 at file offset 0x0 and Invalid dump 0x34365544 at file offset 0x0. But also interesting is the part that follows: TypeError: catching classes that do not inherit from BaseException is not allowed.

Still, that isn't pertinent to this. I guess the "Invalid dump" supports your statement that this is a non-supported dump file, and I will have to use a different means to generate it. Thanks.

@ikelos
Copy link
Member

ikelos commented Mar 12, 2024

Sorry, some of that was a slight mistake on my part, you should probably give it another go, the error above was likely from attempting to stack the 32-bit crash dump layer (which expects the start bytes to be DUMP). It should've gotten past that but my mistake made it throw an error. The actual header is DU64, which we are supposed to support, so that's probably not where the problem lies...

@ikelos ikelos reopened this Mar 12, 2024
@ikelos
Copy link
Member

ikelos commented Mar 12, 2024

Commit 8dbc64f4 should function better (and hopefully will tell you why it's not happy) (the "bad magic" messages are from the Elf and XenCore stackers, so can be safely ignored.

@sluke-nuix
Copy link
Author

here is the latest results (cutting to after the JSON file parsing):

INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 6  volatility3.framework.layers.crash: Exception reading crashdump: Invalid dump 0x34365544 at file offset 0x0
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\projects\aaaa\bbbbb\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in C:\projects\aaaa\bbbbb\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\symbols, C:\projects\aaaa\bbbbb\python\vendor\volatility3\framework\symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 6  volatility3.framework.layers.crash: unsupported dump format 0x6
Level 6  volatility3.framework.layers.crash: Exception reading crashdump: unsupported dump format 0x6
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 5059842478
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name

Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

Where we see

Level 6  volatility3.framework.layers.crash: unsupported dump format 0x6
Level 6  volatility3.framework.layers.crash: Exception reading crashdump: unsupported dump format 0x6

@ikelos
Copy link
Member

ikelos commented Mar 13, 2024

Yep, this is just a partial crashdump, as indicated by unsupported dump format 0x6. Volatility doesn't support partial crashdumps because we can't know what has and hasn't been included. There is a pull request #656 that might be able to get you further because it accepts dump type 0x06 but as I say, a partial memory dump will likely lead to a lot of open bugs that we simply can't help with...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikelos @sluke-nuix