Votality Symbol Table Problems #1139
Comments
|
Hi there - it looks like your machine is unable to make HTTP requests to microsoft: Is you machine connected to the internet, are you behind any kind of proxy? What happens if you try to download http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/F6650B47E7E9D54F1FD4BC090DDACDD21/ntkrnlmp.pdb yourself manually? It might have been a temporary problem at your end, it might be worthwhile running vol with the |
|
My machine is connected to the internet |
|
What happens when you simply take the url and open it in your web browser (e.g. firefox) - does this download a file? |
|
Hello @suamsuamsuam - any luck? |
|
I think I found the fix here. I disabled Virtualization in my BIOS and re-generated the memory dump and bam, this error went away and I was able to have full functionality of Volatility. Let me know if that helps. |
@tury325re This is the same comment you left on #1223. Could you please clarify exactly which issue it was intended for please? |
|
@ikelos I had the same issue of: "Unsatisfied requirement plugins.Info.kernel.symbol_table_name: I read elsewhere that virtualization can sometimes interfere with memory dump collection, therefore I turned it off in BIOS and regenerated the memory dump and it finally worked when i plugged it into volatility. |
|
Ok, I see. Unfortunately that error message can have a number of reasons because it's very difficult to determine the exact cause. Volatility has a number of heuristics designed to identify page mappings, if those are out then it won't be able to find a matching kernel table, if the image was acquired with smear or other issues (such as virtualization settings are likely to cause) volatility won't be able to find the symbol table. If the operating system is linux, and the banner doesn't exactly match one of the symbol tables the user has provided, then the symbol table won't match... Given the message turned up several times as potential solutions to different bug reports I just wanted to check that it hadn't been repeat posted by mistake, and that it was a genuine attempt at a solution. Thanks for trying to help out, however it's just one of many possible potential fixes for that particular error message. |
Context
Volatility Version: 2.7.0
Operating System: windows 10
Python Version: 3.12
Suspected Operating System: windows 10
Command: python vol.py -vvv -f 3.raw windows.info
Volatility 3 Framework 2.7.0
INFO volatility3.cli: Volatility plugins path: ['C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\plugins', 'C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\plugins']
INFO volatility3.cli: Volatility symbols path: ['C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\symbols', 'C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\symbols']
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 5368709119
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80266600000
INFO volatility3.framework.symbols.windows.pdbconv: Download PDB file...
DEBUG volatility3.framework.symbols.windows.pdbconv: Attempting to retrieve http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/F6650B47E7E9D54F1FD4BC090DDACDD21/ntkrnlmp.pdb
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
WARNING volatility3.framework.plugins: Automagic exception occurred: http.client.RemoteDisconnected: Remote end closed connection without response
DETAIL 1 volatility3.framework.plugins: Traceback (most recent call last):
File "C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\automagic_init_.py", line 138, in run
automagic(context, config_path, requirement, progress_callback)
File "C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\automagic\pdbscan.py", line 448, in call
self.recurse_symbol_fulfiller(
File "C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\automagic\pdbscan.py", line 123, in recurse_symbol_fulfiller
PDBUtility.load_windows_symbol_table(
File "C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\symbols\windows\pdbutil.py", line 114, in load_windows_symbol_table
cls.download_pdb_isf(
File "C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\symbols\windows\pdbutil.py", line 261, in download_pdb_isf
filename = pdbconv.PdbRetreiver().retreive_pdb(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\symbols\windows\pdbconv.py", line 960, in retreive_pdb
with resources.ResourceAccessor(progress_callback).open(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\PycharmProjects\Graduate\vol\volatility3\framework\layers\resources.py", line 139, in open
fp = urllib.request.urlopen(url, context=self._context)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\urllib\request.py", line 215, in urlopen
return opener.open(url, data, timeout)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\urllib\request.py", line 515, in open
response = self._open(req, data)
^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\urllib\request.py", line 532, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\urllib\request.py", line 492, in _call_chain
result = func(*args)
^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\urllib\request.py", line 1373, in http_open
return self.do_open(http.client.HTTPConnection, req)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\urllib\request.py", line 1348, in do_open
r = h.getresponse()
^^^^^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\http\client.py", line 1423, in getresponse
response.begin()
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\http\client.py", line 331, in begin
version, status, reason = self._read_status()
^^^^^^^^^^^^^^^^^^^
File "C:\Users\DELL\AppData\Local\Programs\Python\Python312\Lib\http\client.py", line 300, in _read_status
raise RemoteDisconnected("Remote end closed connection without"
http.client.RemoteDisconnected: Remote end closed connection without response
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']
It suddenly stop working few days ago
The text was updated successfully, but these errors were encountered: