Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash on Windows 11 while using malfind #1519

Open
halalfriend opened this issue Jan 4, 2025 · 8 comments
Open

Crash on Windows 11 while using malfind #1519

halalfriend opened this issue Jan 4, 2025 · 8 comments
Assignees
@eve-mem

Comments

@halalfriend
Copy link

halalfriend commented Jan 4, 2025
edited
Loading

Describe the bug
I am trying to analyze a .mem memory dump file on latest Windows 11, and I noticed windows.malfind not working

Context
Volatility Version: Volatility 3 Framework 2.8.0
Operating System: Windows 11 Pro
Python Version: 3.13.1
Suspected Operating System: Windows 11 Pro (same system)
Command: vol -f memdump.mem windows.malfind

To Reproduce
Steps to reproduce the behavior:

  1. Dump system memory using FTK Imager
  2. Install volatility
  3. Try to run windows.malfind on the dumped .mem file
  4. See error

Expected behavior
To at least not crash

Example output

INFO     volatility3.cli: Volatility plugins path: ['C:\\Users\\Patrick\\AppData\\Local\\Programs\\Python\\Python313\\Lib\\site-packages\\volatility3\\plugins', 'C:\\Users\\Patrick\\AppData\\Local\\Programs\\Python\\Python313\\Lib\\site-packages\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['C:\\Users\\Patrick\\AppData\\Local\\Programs\\Python\\Python313\\Lib\\site-packages\\volatility3\\symbols', 'C:\\Users\\Patrick\\AppData\\Local\\Programs\\Python\\Python313\\Lib\\site-packages\\volatility3\\framework\\symbols']
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\linux\vmayarascan.py", line 10, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.linux.vmayarascan based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\linux\vmayarascan.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\cachedump.py", line 8, in <module>
    from Crypto.Cipher import ARC4, AES
ModuleNotFoundError: No module named 'Crypto'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\cachedump.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\hashdump.py", line 10, in <module>
    from Crypto.Cipher import AES, ARC4, DES
ModuleNotFoundError: No module named 'Crypto'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\hashdump.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\lsadump.py", line 8, in <module>
    from Crypto.Cipher import ARC4, DES, AES
ModuleNotFoundError: No module named 'Crypto'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\lsadump.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\mftscan.py", line 13, in <module>
    from volatility3.plugins import timeliner, yarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\mftscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svcdiff.py", line 18, in <module>
    from volatility3.plugins.windows import svclist, svcscan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svclist.py", line 12, in <module>
    from volatility3.plugins.windows import svcscan, pslist
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svcscan.py", line 23, in <module>
    from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcdiff based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svcdiff.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svclist.py", line 12, in <module>
    from volatility3.plugins.windows import svcscan, pslist
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svcscan.py", line 23, in <module>
    from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svclist based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svclist.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svcscan.py", line 23, in <module>
    from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\svcscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\importlib\__init__.py", line 88, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1387, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1360, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1331, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 935, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 1026, in exec_module
  File "<frozen importlib._bootstrap>", line 488, in _call_with_frames_removed
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\vadyarascan.py
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcdiff, volatility3.plugins.windows.svclist, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ae000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x1ae000
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Malfind.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Malfind
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 70858571775
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Malfind.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf800cd800000
DEBUG    volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb\45B0BEEFE03C289F032E4EC96C787174-1
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule

PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Notes   Hexdump Disasm
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_SESSION_SPACE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PS_SYSCALL_PROVIDER
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_IOP_FILE_OBJECT_EXTENSION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CHPEV2_PROCESS_INFO
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_NLS_STATE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DRIVER_PROXY_EXTENSION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_MI_SLAB_ALLOCATOR_ENTRY
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Scripts\vol3.exe\__main__.py", line 7, in <module>
    sys.exit(main())
             ~~~~^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\cli\__init__.py", line 888, in main
    CommandLine().run()
    ~~~~~~~~~~~~~~~~~^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\cli\__init__.py", line 480, in run
    renderer.render(grid)
    ~~~~~~~~~~~~~~~^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\cli\text_renderer.py", line 203, in render
    grid.populate(visitor, outfd)
    ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\renderers\__init__.py", line 245, in populate
    for level, item in self._generator:
                       ^^^^^^^^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\plugins\windows\malfind.py", line 210, in _generator
    vad.get_commit_charge(),
    ~~~~~~~~~~~~~~~~~~~~~^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\symbols\windows\extensions\__init__.py", line 269, in get_commit_charge
    return self.u.VadFlags.CommitCharge
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\Patrick\AppData\Local\Programs\Python\Python313\Lib\site-packages\volatility3\framework\objects\__init__.py", line 971, in __getattr__
    raise AttributeError(
        f"{agg_name} has no attribute: {self.vol.type_name}.{attr}"
    )
AttributeError: StructType has no attribute: symbol_table_name1!_MMVAD_FLAGS.CommitCharge

Text is preferred to screenshots for searching and to talk about specific parts of the output.

Additional information
I noticed that a lot of volatility3 windows 11 functionalities are not correctly working, like pslist not working in stable, only in dev.
@eve-mem
Copy link
Contributor

eve-mem commented Jan 4, 2025

Thanks for reporting your issue! It really helps.

I'm no expert on windows but it seems like it might be related to this change that's in progress.

Could you try the changes listed on this pull request and see if that works for you?

#1407

@eve-mem
Copy link
Contributor

eve-mem commented Jan 14, 2025

Any luck?

@BeanBagKing
Copy link

Not the original reporter, but I found this while searching for the same problem. I manually rolled in the fix from here: 4e2227e

Then did a pip install -e .[dev] just in case. Verified the change was still in place, and re-ran malfind

$ sed -n 269,278p ~/volatility3/volatility3/framework/symbols/windows/extensions/__init__.py
            return self.u.VadFlags.CommitCharge

        elif self.has_member("Core"):
            ## return self.Core.u1.VadFlags1.CommitCharge
            if self.Core.has_member("CommitCharge"):
                return self.Core.CommitCharge
            else:
                return self.Core.u1.VadFlags1.CommitCharge

        raise AttributeError("Unable to find the commit charge member")

Results from before the change and after the change should be attached, Literally no change on a diff, so I'm not sure if I actually added the patch correctly.

windows.malfind_after.txt
windows.malfind_before.txt

@BeanBagKing
Copy link

Added some debug code, here's the results of print(dir(self.u.VadFlags))

['DeleteInProgress', 'EntireField', 'Lock', 'LockContended', 'NoChange', 'PageSize', 'PreferredNode', 'PrivateMemory', 'Protection', 'VadType', 'VolTemplateProxy', '__abstractmethods__', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_abc_impl', '_check_members', '_concrete_members', '_context', '_vol', 'cast', 'get_symbol_table_name', 'has_member', 'has_valid_member', 'has_valid_members', 'member', 'vol', 'write']

No CommitCharge there. self.u1 doesn't exist, neither does self.Core. However, I noticed there was a CommitCharge directly under self. print(dir(self))

['CommitCharge', 'CommitChargeHigh', 'EndingVpn', 'EndingVpnHigh', 'ExtraCreateInfo', 'NextVad', 'Protection', 'PushLock', 'ReferenceCount', 'SpareNT64VadUChar', 'StartingVpn', 'StartingVpnHigh', 'VadNode', 'VolTemplateProxy', '__abstractmethods__', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattr__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_abc_impl', '_check_members', '_concrete_members', '_context', '_vol', 'cast', 'get_commit_charge', 'get_end', 'get_file_name', 'get_left_child', 'get_parent', 'get_private_memory', 'get_protection', 'get_right_child', 'get_size', 'get_start', 'get_symbol_table_name', 'get_tag', 'has_member', 'has_valid_member', 'has_valid_members', 'member', 'traverse', 'u', 'u5', 'vol', 'walk_tree', 'write']

I have absolutely no idea if this is the "right" CommitCharge, but adding it after an if statement does start returning results and doesn't crash before the end.

$ sed -n 265,274p ~/volatility3/volatility3/framework/symbols/windows/extensions/__init__.py
        if self.has_member("u1") and self.u1.has_member("VadFlags1"):
            return self.u1.VadFlags1.CommitCharge

        elif self.has_member("u") and self.u.has_member("VadFlags"):
            if self.u.VadFlags.has_member("CommitCharge"):
                return self.u.VadFlags.CommitCharge
            else:
                return self.CommitCharge

        elif self.has_member("Core"):

$ vol -f dumpit_24H2.dmp windows.info
Volatility 3 Framework 2.19.0
Progress:  100.00               PDB scanning finished
Variable        Value

Kernel Base     0xf803d4c00000
DTB     0x1ae000
Symbols file:///home/rodger/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/8B0464B49E520F4328DFFFE68FF5B450-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 WindowsCrashDump64Layer
base_layer      2 FileLayer
KdVersionBlock  0xf803d5a0a7b0
Major/Minor     15.26100
MachineType     34404
KeNumberProcessors      2
SystemTime      2025-01-27 18:23:23+00:00
NtSystemRoot    C:\WINDOWS
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404

@ikelos ikelos assigned iMHLv2 and unassigned iMHLv2 Jan 27, 2025
@ikelos
Copy link
Member

ikelos commented Jan 27, 2025

Ok, so this is now crashing on line 269, which is part of the following:

    def get_commit_charge(self):
        """Get the VAD's commit charge (number of committed pages)"""
        if self.has_member("u1") and self.u1.has_member("VadFlags1"):
            return self.u1.VadFlags1.CommitCharge
        elif self.has_member("u") and self.u.has_member("VadFlags"):
            return self.u.VadFlags.CommitCharge

        elif self.has_member("Core"):
            if self.Core.has_member("CommitCharge"):
                return self.Core.CommitCharge
            else:
                return self.Core.u1.VadFlags1.CommitCharge

        raise AttributeError("Unable to find the commit charge member")

Looks like the Core test was in the wrong place in the code. @eve-mem do you have a memory image where you can recreate this or at least test what happens if the elif self.has_member('Core') is moved higher up the if statement? I don't really know what's going on here, but it feels like there should be one flow and we should be able to go from attempting most recent to least recent...

@eve-mem
Copy link
Contributor

eve-mem commented Jan 31, 2025

I've spent all morning installing various different versions of windows I can get my hands on but I've not yet been able to recreate it so I can debug properly.

These are the versions I've managed to get samples for, but they all work correctly unfortunately.

  • 15.20348
  • 15.17763
  • 15.14393
  • 15.22621
  • 15.2600

@BeanBagKing is there any chance you could share a broken sample? Even an iso I can use to build my own VM would work.

@eve-mem
Copy link
Contributor

eve-mem commented Jan 31, 2025

Huzzah - I managed to make a VM with 15.26100 and can reproduce the issue.

@eve-mem
Copy link
Contributor

eve-mem commented Jan 31, 2025

Hello

Testing on this sample:

(volatility3) eve@xps:~/Documents/volatility3$ python3 vol.py -f DESKTOP-F458H29-20250131-142642.dmp windows.info
Volatility 3 Framework 2.12.0
Progress:  100.00               PDB scanning finished                                
Variable        Value

Kernel Base     0xf80476c00000
DTB     0x1ae000
Symbols file:///home/eve/Documents/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/8B0464B49E520F4328DFFFE68FF5B450-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 WindowsCrashDump64Layer
base_layer      2 FileLayer
KdVersionBlock  0xf80477a0a7b0
Major/Minor     15.26100
MachineType     34404
KeNumberProcessors      2
SystemTime      2025-01-31 14:26:45+00:00
NtSystemRoot    C:\WINDOWS
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Fri Dec 30 03:15:07 1988

I was able to recreate the issue.

(volatility3) eve@xps:~/Documents/volatility3$ python3 vol.py -f DESKTOP-F458H29-20250131-142642.dmp windows.malfind
Volatility 3 Framework 2.12.0
Progress:  100.00               PDB scanning finished                                
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Notes   Hexdump Disasm
Traceback (most recent call last):
  File "/home/eve/Documents/volatility3/vol.py", line 11, in <module>
    volatility3.cli.main()
  File "/home/eve/Documents/volatility3/volatility3/cli/__init__.py", line 917, in main
    CommandLine().run()
  File "/home/eve/Documents/volatility3/volatility3/cli/__init__.py", line 505, in run
    renderer.render(grid)
  File "/home/eve/Documents/volatility3/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/home/eve/Documents/volatility3/volatility3/framework/renderers/__init__.py", line 245, in populate
    for level, item in self._generator:
  File "/home/eve/Documents/volatility3/volatility3/framework/plugins/windows/malfind.py", line 235, in _generator
    vad.get_commit_charge(),
    ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/eve/Documents/volatility3/volatility3/framework/symbols/windows/extensions/__init__.py", line 269, in get_commit_charge
    return self.u.VadFlags.CommitCharge
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/eve/Documents/volatility3/volatility3/framework/objects/__init__.py", line 969, in __getattr__
    raise AttributeError(
AttributeError: StructType has no attribute: symbol_table_name1!_MMVAD_FLAGS.CommitCharge

Then by making similar changes to @BeanBagKing I was able to get results.

(volatility3) eve@xps:~/Documents/volatility3$ python3 vol.py -f DESKTOP-F458H29-20250131-142642.dmp windows.malfind
Volatility 3 Framework 2.12.0
Progress:  100.00               PDB scanning finished                                
PID     Process Start VPN       End VPN Tag     Protection      CommitCharge    PrivateMemory   File output     Notes   Hexdump Disasm

2960    MsMpEng.exe     0x21a75550000   0x21a7565cfff   VadS    PAGE_EXECUTE_READWRITE  269     1       Disabled        N/A
56 57 53 55 41 54 41 55 41 56 41 57 48 83 ec 28 VWSUATAUAVAWH..(
4c 8d 3c 24 48 8b e9 48 8d b1 98 38 00 00 ff e2 L.<$H..H...8....
49 8d 67 28 41 5f 41 5e 41 5d 41 5c 5d 5b 5f 5e I.g(A_A^A]A\][_^
c3 00 00 40 00 80 00 00 00 48 89 e9 48 b8 60 33 [email protected].`3
0x21a75550000:  push    rsi
0x21a75550001:  push    rdi
0x21a75550002:  push    rbx
0x21a75550003:  push    rbp
0x21a75550004:  push    r12
0x21a75550006:  push    r13
0x21a75550008:  push    r14
0x21a7555000a:  push    r15
0x21a7555000c:  sub     rsp, 0x28
0x21a75550010:  lea     r15, [rsp]
0x21a75550014:  mov     rbp, rcx
0x21a75550017:  lea     rsi, [rcx + 0x3898]
0x21a7555001e:  jmp     rdx
0x21a75550020:  lea     rsp, [r15 + 0x28]
0x21a75550024:  pop     r15
0x21a75550026:  pop     r14
0x21a75550028:  pop     r13
0x21a7555002a:  pop     r12
0x21a7555002c:  pop     rbp
0x21a7555002d:  pop     rbx
0x21a7555002e:  pop     rdi
0x21a7555002f:  pop     rsi
0x21a75550030:  ret
0x21a75550031:  add     byte ptr [rax], al
0x21a75550033:  add     byte ptr [rax + 0x48000000], al
0x21a7555003a:  mov     ecx, ebp
<SNIP>

I'd love a view from @atcuno to see if these changes are the right way to do things. I've updated the PR #1407 with these changes e9d1831

Hope this helps!

@eve-mem eve-mem mentioned this issue Jan 31, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eve-mem eve-mem

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@iMHLv2 @ikelos @BeanBagKing @eve-mem @halalfriend