Question - Does Volatility Support DumpIt compressed zdmp? #1325
Labels
Comments
|
Hello 👋 A few things that might help. Are you able to share a sample? If you run the linux command file on it, what does it say? Are you able to share the first few bytes of the file? Maybe 32 bytes? Zdmp makes me think it might just be a compressed raw file. Thanks! (Edit: uncompressed raw files are definitely supported!) |
|
Hi there! I can share a sample as needed. Would a dump from a VM with <1GB of RAM suffice? Easier on the network transfer, and less concern about security implications. $ file memdump-2024-10-29-11-52-06.zdmp
memdump-2024-10-29-11-52-06.zdmp: dataI believe this is what you were looking for? $ xxd -c32 memdump-2024-10-29-11-52-06.zdmp | head -n1
00000000: 5a44 4d50 0001 0000 0070 3ff0 0300 0000 0000 2000 0100 0200 0000 0000 0000 0000 ZDMP.....p?....... .............I don't see any documentation for those magic bytes, so maybe a proprietary format? I placed a call to Magnet support, but don't anticipate I will get a return call as a non-paying customer. Please let me know if there is anything else I can provide! |
|
Looks like there is a conversion tool (written in rust) to convert it to a raw format. Looks like we theoretically could support it. Just need to interpret the code... |
|
@createchange thanks for that info! It does look like a custom format. As @ikelos says it could probably be supported but that'll take a while for someone to do. If you can share a sample or two that'll help. I know there is lots of work going on to bring vol3 up to parity with vol2 so i personally think it'll be quite a while before someone has time to look at this one in depth. |
|
Good find on that repository! I cloned and built the tool, but unfortunately volatility3 failed to execute on the decompressed output. # WSL
└─$ file output.dmp
output.dmp: MS Windows 64bit crash dump, full dump, 4129781 pages
# Powershell
❯ python3 vol.py -f C:\SecurityTools\DumpIt\dumps\output.dmp windows.info
Volatility 3 Framework 2.4.1
WARNING volatility3.framework.plugins: Automagic exception occurred: FileNotFoundError: [Errno 2] No such file or directory: 'C:\\Users\\jweaver\\AppData\\Local\\Packages\\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\\LocalCache\\Roaming\\volatility3\\data_a50d5da012754717f911e13040203999f1d1b82ee87180475a48f8edc001c4caee1aa634ec6d10b793d2aed84e6b68cf8715db6093b7ea084393c1a15e7cb489.cache'
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']Here is a relatively small |
|
Try clearing your cache and trying that again. It looks like it tried to use symbols that weren't there. Vol should automatically download and convert the bits it needs. --clear-cache is the option you'd need. |
|
Hello, I've downloaded that sample and used z2dmp-rust to decompress it. Here is the log for the decompression: Looking in volshell at these we can start to get a sense of the file format with the ZBLK blocks. (the source code will help the most of course...) (primary) >>> db(0x0)
0x0 5a 44 4d 50 00 01 00 00 00 40 8f 56 00 00 00 00 ZDMP.....@.V....
0x10 00 00 20 00 01 00 02 00 00 00 00 00 00 00 00 00 ................
0x20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
(primary) >>> db(0x1000)
0x1000 5a 42 4c 4b e1 a5 07 00 4b f3 0d 51 62 b2 00 50 ZBLK....K..Qb..P
0x1010 41 47 45 44 55 36 34 00 0f 00 00 00 65 4a 00 00 AGEDU64.....eJ..
0x1020 18 02 40 7d 00 48 03 10 80 fb ff 00 ff 70 07 44 ..@}.H.......p.D
0x1030 66 07 f8 ff 10 ff 30 41 43 02 1c 64 86 00 84 00 f.....0AC..d....
0x1040 04 00 78 4d 41 54 54 01 ec 10 4d 4f 4f 4e 01 5a ..xMATT...MOON.Z
0x1050 53 4f 4c 1e 53 01 0e 0d 1e 01 46 19 06 80 50 f4 SOL.S.....F...P.
0x1060 c0 78 8b a9 ff ff 06 00 3c 01 27 48 f2 68 05 01 .x......<.'H.h..
0x1070 46 00 01 02 05 00 8c 00 9f 04 07 05 10 92 ea 03 F...............
(primary) >>> db(0x7b5ed)
0x7b5ed 5a 42 4c 4b 45 77 0b 00 2d 4f ef e0 57 b5 00 ab ZBLKEw..-O..W...
0x7b5fd d7 e8 31 c6 29 05 39 00 ce 00 00 00 04 02 cd 00 ..1.).9.........
0x7b60d 36 20 00 38 01 10 1b 04 38 0d 30 28 00 00 5c 00 6..8....8.0(..\.
0x7b61d 53 00 79 00 73 00 00 74 00 65 00 6d 00 52 00 8a S.y.s..t.e.m.R..
0x7b62d 6f 00 02 74 0c 2a 33 00 32 00 22 80 64 00 72 00 o..t.*3.2.".d.r.
0x7b63d 69 00 76 00 4e 22 72 00 5e 5c 00 75 00 0a 62 00 i.v.N"r.^\.u..b.
0x7b64d 82 63 00 02 67 00 70 00 2e 00 1a 43 01 8e 03 61 .c..g.p....C...a
0x7b65d 5c 00 13 c0 01 09 08 45 00 04 04 00 03 a9 a3 46 \......E.......F
(primary) >>> db(0x132d3e)
0x132d3e 5a 42 4c 4b 20 f9 0b 00 3f 9f 94 d8 4e b7 10 14 ZBLK....?...N...
0x132d4e 00 16 00 01 00 b8 64 87 80 5a ff 7f 00 00 c0 52 ......d..Z.....R
0x132d5e 03 38 54 42 67 03 38 38 04 1c 20 04 1c 02 51 02 .8TBg.88......Q.
0x132d6e b4 00 00 20 04 9c 60 00 1e b8 00 6b ec 4b c2 b5 ......`....k.K..
0x132d7e 6f 4b b2 00 c1 5d a5 cf 92 d0 d9 01 01 00 26 04 oK...]........&.
0x132d8e 5d 88 8a eb 1c c9 00 11 9f e8 08 00 2b 10 48 ce ]...........+.H.
0x132d9e 60 05 6e 00 34 1a 04 10 50 03 77 00 24 29 02 32 `.n.4...P.w.$).2
0x132dae 10 d0 03 0f b0 04 07 3e 00 9a 40 02 3f d0 04 af .......>..@.?...
(primary) >>> db(0x231f3f65)
0x231f3f65 5a 42 4c 4b 4c 25 06 00 fb b5 1d 36 84 b0 02 00 ZBLKL%.....6....
0x231f3f75 43 0c 04 01 41 00 00 10 2a 01 c2 c4 10 2c c5 40 C...A...*....,.@
0x231f3f85 f6 00 10 00 ff b0 00 ed 01 dc 02 ef 00 1f 01 1f ................
0x231f3f95 01 1f 01 1f 01 ff 1f 01 1f 01 1f 01 1f 01 1f 01 ................
0x231f3fa5 1f 01 1f 01 1f 01 ff 1f 01 1f 01 1f 01 1f 01 1f ................
0x231f3fb5 01 1f 01 1f 01 1f 01 ff 1f 01 1f 01 1f 01 1f 01 ................
0x231f3fc5 1f 01 1f 01 1f 01 1f 01 ff 1f 01 1f 01 1f 01 1f ................
0x231f3fd5 01 1f 01 1f 01 1f 01 1f 01 ff 1f 01 1f 01 1f 01 ................I do get an issue when trying to process that decompressed sample though - can't seem to find the bits it needs. This feels like a separate issue to me though. $ python vol.py -vvvvvvvvv -f DESKTOP-7RVSOQ6-20241031-043804.dmp windows.pslist
Volatility 3 Framework 2.11.0
INFO volatility3.cli: Volatility plugins path: ['/home/eve/Documents/volatility3/volatility3/plugins', '/home/eve/Documents/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/eve/Documents/volatility3/volatility3/symbols', '/home/eve/Documents/volatility3/volatility3/framework/symbols']
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/plugins, /home/eve/Documents/volatility3/volatility3/framework/plugins
DEBUG volatility3.plugins.yarascan: Using yara-python module
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/automagic
DETAIL 3 volatility3.cli: Cache directory used: /home/eve/.cache/volatility3
INFO volatility3.framework.automagic: Detected a windows category plugin
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/eve/Documents/volatility3/volatility3/symbols, /home/eve/Documents/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 4 volatility3.framework: Importing from the following paths: /home/eve/Documents/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler, LeechCoreHandler
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Invalid dump 0x34365544 at file offset 0x0
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/eve/Documents/volatility3/volatility3/symbols, /home/eve/Documents/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/eve/Documents/volatility3/volatility3/symbols, /home/eve/Documents/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
DETAIL 4 volatility3.framework.layers.crash: Segment 0: Position 0x1000 Offset 0x2000 Length 0x9f000
DETAIL 4 volatility3.framework.layers.crash: Segment 1: Position 0x100000 Offset 0xa1000 Length 0x3ea92000
DETAIL 4 volatility3.framework.layers.crash: Segment 2: Position 0x3eb93000 Offset 0x3eb33000 Length 0x2e7000
DETAIL 4 volatility3.framework.layers.crash: Segment 3: Position 0x3ee99000 Offset 0x3ee1a000 Length 0x59000
DETAIL 4 volatility3.framework.layers.crash: Segment 4: Position 0x3ef1b000 Offset 0x3ee73000 Length 0x1080000
DETAIL 4 volatility3.framework.layers.crash: Segment 5: Position 0x3ffff000 Offset 0x3fef3000 Length 0x16a01000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked WindowsCrashDump64Layer using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: WindowsCrashDump64Layer
DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 1453326335
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['WindowsCrashDump64Layer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name'] |
|
Well, it did stack it as a crashdump file, but I dunno whether then the rest of the image had an issue, or whether the crashdump format they wrote it in, or our crashdump reader has an issue. Still... feels like progress? 5:) |
|
Yeah that's exactly right. One step in the right direction. Using layer writer to give us a raw i have the same problem. So either an issue with the magnet forensics conversion tool, or just a problem with the image itself. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi folks, sorry for the non-bug/feature request issue.
I am implementing some basic flows to permit us to acquire memory dumps for incident response, and landed on DumpIt (mostly via discovery of the KAPE integration). After experimentation, I noticed that you could output a compressed dump, which is a "zdmp" filetype. Seek as I as, I haven't found much documentation on this filetype around the internet, with the one piece I found referencing (the now defunct) Comae enterprise tooling for reading these files.
Is this a proprietary file type? Is it able to read used by volatility? If not, is the uncompressed DumpIt output able to be consumed? I received the following output, which clued me in that it may not be compatible:
Not looking for alternatives - I see an excerpt in the docs about possible tools - just looking to see if I should jump from DumpIt due to incompatibility, so that I don't end up with dumps that require me to sign-on with a vendor to make use of them. I'd, of course, rather not back myself into a corner.
Thanks for whatever guidance can be provided.
The text was updated successfully, but these errors were encountered: