Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Volatility fails to extract SSDT on Windows XP guest #82

Open
Wenzel opened this issue Apr 4, 2020 · 1 comment
Open

Volatility fails to extract SSDT on Windows XP guest #82

Wenzel opened this issue Apr 4, 2020 · 1 comment
Labels
bug Upstream Upstream bug in a library Volatility Volatility framework reload issue

Comments

@Wenzel
Copy link
Owner

Wenzel commented Apr 4, 2020
edited

OSWatcher log file is in this Gist

Important part:

2020-04-04 19:07:17,038 DEBUG:volatility.framework.automagic.pdbscan:Using symbol library: ntkrpamp.pdb/C40DD53A8D3D4AE3A24CE6BE866649C9-1
2020-04-04 19:07:17,068 INFO:volatility.schemas:Dependency for validation unavailable: jsonschema
2020-04-04 19:07:17,068 DEBUG:volatility.schemas:All validations will report success, even with malformed input
2020-04-04 19:07:17,069 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None
2020-04-04 19:07:17,069 WARNING:volatility.framework.plugins:Automagic exception occurred: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD
WARNING  volatility.framework.plugins: Automagic exception occurred: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD
2020-04-04 19:07:17,069 Level 9:volatility.framework.plugins:Traceback (most recent call last):
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/__init__.py", line 129, in run
    automagic(context, config_path, requirement, progress_callback)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/pdbscan.py", line 481, in __call__
    self.recurse_symbol_fulfiller(context, valid_kernels, progress_callback)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/pdbscan.py", line 224, in recurse_symbol_fulfiller
    requirement.construct(context, config_path)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/configuration/requirements.py", line 363, in construct
    obj = self._construct_class(context, config_path, args)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/interfaces/configuration.py", line 565, in _construct_class
    obj = cls(**requirement_dict)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/windows/__init__.py", line 17, in __init__
    self.set_type_class('_ETHREAD', extensions.ETHREAD)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/intermed.py", line 55, in _delegate_function
    return getattr(self._delegate, name)(*args, **kwargs)
  File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/intermed.py", line 339, in set_type_class
    raise ValueError("Symbol type not in {} SymbolTable: {}".format(self.name, name))
ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD

Windows XP Dump is available on Google Drive
@Wenzel Wenzel added Upstream Upstream bug in a library Volatility Volatility framework reload issue bug labels Apr 12, 2020
@Wenzel
Copy link
Owner Author

Wenzel commented Jun 30, 2020

Issue is opened on volatility3 repo: volatilityfoundation/volatility3#242

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Upstream Upstream bug in a library Volatility Volatility framework reload issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Wenzel