Symbols are not picked up #1132
Comments
|
Could you add the log from vol with -vvvvv added before the plugin name. It really helps when working out issues. It would also be useful to see the output of the isfinfo plugin |
|
Volatility 3 Framework 2.7.0 DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/analyst1/volatility3/volatility3/framework/plugins/windows/lsadump.py DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/analyst1/volatility3/volatility3/framework/plugins/windows/cachedump.py DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/analyst1/volatility3/volatility3/framework/plugins/windows/hashdump.py Unsatisfied requirement plugins.Info.kernel.layer_name: A translation layer requirement was not fulfilled. Please verify that: A symbol table requirement was not fulfilled. Please verify that: Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name'] |
|
After the crypto issue resolved. Volatility 3 Framework 2.7.0 Unsatisfied requirement plugins.Info.kernel.layer_name: A translation layer requirement was not fulfilled. Please verify that: A symbol table requirement was not fulfilled. Please verify that: Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name'] |
|
Output of isfinfo plugin after removing the duplicate symbol file: Volatility 3 Framework 2.7.0 URI Valid Number of base_types Number of types Number of symbols Number of enums Identifying information file:///home/analyst1/Tools/vol3/volatility3/symbols/2A832A6884144D88C39DB4B4DB66D71C-1.json.xz Unknown 16 1820 44399 361 b'ntkrnlmp.pdb|2A832A6884144D88C39DB4B4DB66D71C|1' |
|
Great thanks. Looks like the symbols you made are in the right place and are being picked up, but it's not quite working. How exactly did you acquire the memory? |
|
using dumpit tool. Tried with 2 option, dump with system privilege and dump with admin privilege. |
|
Hello, thank you for the information. Ah t the moment I'm not clear why it isn't working. Perhaps someone else will spot the issue. Is this memory sample one you can share? |
|
I have taken multiple memory dump using mulitple tools. still the same. Sharing memory dump might not help. |
Describe the bug
I am trying to perform memory analysis for below NTOSKRNL version windows 11 machine. I downloaded the symbols from Microsoft and converted. But when I try to perform analysis, this symbol file is not picked up and ends with error only. Please help
NTOSKRNL version: 10.0.22631.3155
GUID: 2A832A6884144D88C39DB4B4DB66D71C
Download URL: http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/2A832A6884144D88C39DB4B4DB66D71C1/ntkrnlmp.pdb
Command executed: pdbconv.py -f AA01AAFDC219D45494EC3D2B7B8A08C6E875546DA5BB9D0873716C1A097DC56B00.blob -o 2A832A6884144D88C39DB4B4DB66D71C-1.json.xz
Context
Volatility Version: 3
Operating System: 10.0.22631.3155
Python Version: 3
Suspected Operating System: 10.0.22631.3155
Example output
Volatility 3 Framework 2.5.2
Progress: 100.00 PDB scanning finished
Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']
The text was updated successfully, but these errors were encountered: