Automagic exception: Missing _ETHREAD kernel symbol for Win10x64_17134 memory image #135
Comments
|
Hiya, Thanks for the report! From the looks of it, the symbol table is the heart of the problem. It would help us to figure out what went wrong in this specific case if you could paste the output from running it with That will tell us which symbol table we're looking for. It's definitely a known issue that certain kernel symbol files that Microsoft publishes aren't complete (for example, I have a system with the above signature, that we do have symbols for in the symbol pack, but if you try to download them manually, the pdb no longer contains all the necessary data, and it comes up with the same warning you've encountered). Once we know which symbol table it's trying to use we can examine the one in the pack, or even if it exists in the pack and figure out if we can create symbols for it or not... 5:) |
|
I have a Win10x64_18362 image and I'm getting the same issue. I tried downloading the symbols and extracting them manually, but I get the same error. This is a test VM so happy to perform any debugging steps on the live host. Let me know if you'd rather I create a separate issue for this |
|
Errr, leave it in this thread for the moment please. So |
Turns out that #133 exposed a mistake in how we were using the end_bit field (and it should have been picked up in review, my bad). Essentially we were masking based on the length of the end_bit after *already* shifting by the start_bit. We should mask then shift, not the other way around. May well fix issue #135 (pdb generation will have been affected by this).
|
So it turns out this was due to a recent pull request that I didn't properly review (I checked the code, which was right, but completely missed that we did things in the wrong order already and it just so happened it worked out fine because of the mistake which #133 correctly fixed). Unfortunately, this means that some generated symbol tables will now be invalid and will need to be re-generated. Please clear out your Any windows JSON symbol files generated in the last couple of days will need to be removed and will be rebuilt from the internet. Please could you test this? @mattwhatkins I know this will fix your issue, @johnlabuyfoy1024 I suspect this will fix yours but I never found out which PDB you were testing it against... I leave this open for a week or so unless I get told otherwise, in case someone's still experiencing it even with the fix from commit |
|
This works for me, windows.info and pstree coming back OK now :) (Malfind is erroring, so I'll see if I can work that out, otherwise submit a separate bug report) Thanks! |
|
My issue is now resolved after downloading & installing the latest windows.zip from https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime 4 0 System 0xd10263712440 196 - N/A False 2019-08-14 18:27:46.000000 N/A Thank you ikelos! |
volatility version = Volatility 3 Framework 1.0.0-beta.1
OS used to run Volatility = Linux kali 5.3.0-kali1-amd64 #1 SMP Debian 5.3.7-kali2 (2019-11-04) x86_64 GNU/Linux
Python version = Python 3.7.5
OS of target memory sample = Win10x64_17134
Command line = python3 vol.py -f /mnt/Labs/GBAKER-10L/data.lime windows.pslist.PsList
Error message =
Volatility 3 Framework 1.0.0-beta.1
WARNING volatility.framework.plugins: Automagic exception occured: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD
Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
NOTE: I was able to successfully run the above command line on a different Windows 7 memory image. So, the https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip file was installed correctly.
The text was updated successfully, but these errors were encountered: