Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot dump a file with linux.pagecache.InodePages command #1360

Open
Axselll opened this issue Nov 20, 2024 · 2 comments
Open

Cannot dump a file with linux.pagecache.InodePages command #1360

Axselll opened this issue Nov 20, 2024 · 2 comments

Comments

@Axselll
Copy link

Axselll commented Nov 20, 2024

Hello, i just try vol3 recently and stumble upon weird behavior (at least for me)

Describe the bug
I was trying to dump an ELF file using linux.pagecache.InodePages that lead to an error, it tells unable to read a requested page

Context
Volatility Version: Vol3/2.11.0
Operating System: Linux Mint (5.15.0-125-generic)
Python Version: Python 3.10.12
Suspected Operating System: Linux Mint (5.15.0-125-generic)
Command: sudo python3 vol.py -vvv -f /home/quiet/LiME/result/res.mem linux.pagecache.InodePages --find /home/quiet/Documents/Go-dev/ransomware/rware --dump rware

To Reproduce
Steps to reproduce the behavior:

  1. Long story short i already know a process named rware (it's a simple ransomware payload that i want to retrieve from the memory dump file) but when i run the command above i got the result (see point no.2).

  2. Volatility was unable to read a requested page:
    Page error 0xc5a7140de03a in layer layer_name (Page Fault at entry 0x0 in table page directory pointer)

    • Memory smear during acquisition (try re-acquiring if possible)
    • An intentionally invalid page lookup (operating system protection)
    • A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

Expected behavior
As we know my intention, i was trying to dump a file with linux.pagecache.InodePages command

Example output
INFO volatility3.cli: Volatility plugins path: ['/home/quiet/volatility3/volatility3/plugins', '/home/quiet/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/quiet/volatility3/volatility3/symbols', '/home/quiet/volatility3/volatility3/framework/symbols']
INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/quiet/volatility3/volatility3/framework/plugins/yarascan.py
INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/netstat.py", line 15, in
from volatility3.plugins.windows import netscan, modules, info, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/netscan.py", line 17, in
from volatility3.plugins.windows import info, poolscanner, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.netstat based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/netstat.py
INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svclist.py", line 12, in
from volatility3.plugins.windows import svcscan, pslist
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in
from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svclist based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/svclist.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 11, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.pe_symbols based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py
INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/debugregisters.py", line 19, in
import volatility3.plugins.windows.pe_symbols as pe_symbols
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 11, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.debugregisters based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/debugregisters.py
INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcdiff.py", line 18, in
from volatility3.plugins.windows import svclist, svcscan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svclist.py", line 12, in
from volatility3.plugins.windows import svcscan, pslist
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in
from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcdiff based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/svcdiff.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/iat.py", line 4, in
import logging, io, pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.iat based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/iat.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/unhooked_system_calls.py", line 16, in
from volatility3.plugins.windows import pslist, pe_symbols
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 11, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.unhooked_system_calls based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/unhooked_system_calls.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/hashdump.py", line 10, in
from Crypto.Cipher import AES, ARC4, DES
ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/hashdump.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/lsadump.py", line 8, in
from Crypto.Cipher import ARC4, DES, AES
ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/lsadump.py
INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/consoles.py", line 21, in
from volatility3.plugins.windows import pslist, info, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.consoles based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/consoles.py
INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in
from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/svcscan.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/cachedump.py", line 8, in
from Crypto.Cipher import ARC4, AES
ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/cachedump.py
INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/cmdscan.py", line 17, in
from volatility3.plugins.windows import pslist, consoles
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/consoles.py", line 21, in
from volatility3.plugins.windows import pslist, info, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cmdscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/cmdscan.py
INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.verinfo based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/skeleton_key_check.py", line 18, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.skeleton_key_check based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/skeleton_key_check.py
INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/netscan.py", line 17, in
from volatility3.plugins.windows import info, poolscanner, verinfo
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in
import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.netscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/netscan.py
INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/windows/mftscan.py", line 13, in
from volatility3.plugins import timeliner, yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /home/quiet/volatility3/volatility3/framework/plugins/windows/mftscan.py
INFO volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 19, in
import yara_x
ModuleNotFoundError: No module named 'yara_x'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/framework/init.py", line 185, in import_file
importlib.import_module(module)
File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "", line 1050, in _gcd_import
File "", line 1027, in _find_and_load
File "", line 1006, in _find_and_load_unlocked
File "", line 688, in _load_unlocked
File "", line 883, in exec_module
File "", line 241, in _call_with_frames_removed
File "/home/quiet/volatility3/volatility3/framework/plugins/linux/vmayarascan.py", line 10, in
from volatility3.plugins import yarascan
File "/home/quiet/volatility3/volatility3/framework/plugins/yarascan.py", line 25, in
import yara
ModuleNotFoundError: No module named 'yara'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.linux.vmayarascan based on file: /home/quiet/volatility3/volatility3/framework/plugins/linux/vmayarascan.py
INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.cachedump, volatility3.plugins.windows.cmdscan, volatility3.plugins.windows.consoles, volatility3.plugins.windows.debugregisters, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.iat, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.netscan, volatility3.plugins.windows.netstat, volatility3.plugins.windows.pe_symbols, volatility3.plugins.windows.skeleton_key_check, volatility3.plugins.windows.svcdiff, volatility3.plugins.windows.svclist, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.unhooked_system_calls, volatility3.plugins.windows.vadyarascan, volatility3.plugins.windows.verinfo, volatility3.plugins.yarascan
INFO volatility3.framework.automagic: Detected a linux category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.15.0-125-generic (buildd@lcy02-amd64-040) (gcc (Ubuntu 11.4.0-1ubuntu122.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 (Ubuntu 5.15.0-125.135-generic 5.15.167)\n\x00'
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats_rsn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!macsec_ops
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mctp_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dsa_8021q_context
DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 99000000 virtual 32400000
DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x9be10000
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name.memory_layer.base_layer
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 12787937695
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.15.0-125-generic (buildd@lcy02-amd64-040) (gcc (Ubuntu 11.4.0-1ubuntu122.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 (Ubuntu 5.15.0-125.135-generic 5.15.167)\n\x00'
DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/quiet/volatility3/volatility3/symbols/generic/linux/Ubuntu_5.15.0-125-generic_5.15.0-125.135_amd64.json.xz
INFO volatility3.framework.automagic: Running automagic: KernelModule

PageVAddr PagePAddr MappingAddr Index DumpSafe Flags
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!macsec_ops
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mctp_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context

DEBUG volatility3.cli: Traceback (most recent call last):
File "/home/quiet/volatility3/volatility3/cli/init.py", line 502, in run
renderer.render(grid)
File "/home/quiet/volatility3/volatility3/cli/text_renderer.py", line 230, in render
grid.populate(visitor, outfd)
File "/home/quiet/volatility3/volatility3/framework/renderers/init.py", line 245, in populate
for level, item in self._generator:
File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 350, in format_fields_with_headers
for level, fields in generator:
File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 481, in _generator
for inode_in in inodes_iter:
File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 272, in get_inodes
for file_path, file_dentry in cls._walk_dentry(
File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 208, in _walk_dentry
yield from cls._walk_dentry(seen_dentries, dentry, parent_dir=file_path)
File "/home/quiet/volatility3/volatility3/framework/plugins/linux/pagecache.py", line 189, in _walk_dentry
inode_ptr = dentry.d_inode
File "/home/quiet/volatility3/volatility3/framework/objects/init.py", line 961, in getattr
member = template(context=self._context, object_info=object_info)
File "/home/quiet/volatility3/volatility3/framework/objects/templates.py", line 96, in call
return self.vol.object_class(
File "/home/quiet/volatility3/volatility3/framework/objects/init.py", line 168, in new
value = cls._unmarshall(context, data_format, object_info)
File "/home/quiet/volatility3/volatility3/framework/objects/init.py", line 408, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, length)
File "/home/quiet/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read
return self[layer].read(offset, length, pad)
File "/home/quiet/volatility3/volatility3/framework/layers/linear.py", line 45, in read
for offset, _, mapped_offset, mapped_length, layer in self.mapping(
File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 295, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(
File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 351, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 155, in _translate
entry, position = self._translate_entry(offset)
File "/home/quiet/volatility3/volatility3/framework/layers/intel.py", line 198, in _translate_entry
raise exceptions.PagedInvalidAddressException(
volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page directory pointer

Volatility was unable to read a requested page:
Page error 0xc5a7140de03a in layer layer_name (Page Fault at entry 0x0 in table page directory pointer)
-Memory smear during acquisition (try re-acquiring if possible)
-An intentionally invalid page lookup (operating system protection)
-A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced

Additional information
I am using the symbol table that i got on github- this

I hope it's not about the symbol table :)
I'm new to vol3 so i apoligize in advance if this is not a bug but an error from my end. Thanks in advance
@ikelos
Copy link
Member

ikelos commented Nov 22, 2024

Hiya, it doesn't look like you did anything inherently wrong, it just looks like volatility found a value that it thought was a memory address, which it tried to access but couldn't. As volatility points out, the most common reason for that happening would be memory smear (caused during imaging, where different parts of the memory are updated whilst the image was still being recorded, like trying to take a good photo of a hyperactive dog on an old/slow camera). I'm not too sure what to suggest, but try out simpler plugins (like pslist). If they work fine, then the symbol table is unlikely to be the problem...

@Axselll
Copy link
Author

Axselll commented Nov 22, 2024
edited
Loading

@ikelos Hey man, yes i've tried pslist and it was fine, i can see stuff generated with it. In fact pslist was the first thing i tested but recently i tried the pstree command and it was returning some error messages (probably i will open an issue if i cant find any workaround). And yes you are right i was forcing to dump the memory while running a ransomware, so probably it was the 1 of unknown possiblity that can lead to this issue.

Also after reading the error messages i see a message that tell me the symbol table is unsatisfied or not yet fulfilled or something like that, looks like it was my symbol table. probably ill try to generate a symbol table based on my machine. Do you have any tricks or tips to generate the symbol table? since i was having a hard time understanding how to generate the symbol table by following the documentation.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikelos @Axselll