Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redline Memory Image Support #98

Closed
TheHmadQureshi opened this issue Oct 20, 2019 · 6 comments
Closed

Redline Memory Image Support #98

TheHmadQureshi opened this issue Oct 20, 2019 · 6 comments

Comments

@TheHmadQureshi
Copy link

Hello,

I created a memory image using redline(memoryze) and it created a .dat file for memory acquisition. I was wondering if there's any way analyze that memory dump using volatility?

Appreciate your help.

Thanks

@ikelos
Copy link
Member

ikelos commented Oct 20, 2019

I believe redline's .dat files are just raw memory images, and should therefore work with volatility 3. Have you tried it, and if so what results did you have?

@TheHmadQureshi
Copy link
Author

Thanks for replying @ikelos. I got this output:

1

I made sure that symbols are in the right directory and in order. i am not sure why its not working.

@ikelos
Copy link
Member

ikelos commented Oct 20, 2019

Hmmm, so first off, from the output, it looks like the raw memory image is fine (and that the dat files that Redline/Memoryze produces are just raw memory images), and it did find an intel layer (because you didn't get an issue about primary not being fulfilled, just the nt_symbols).

You can run the command again using vol.py -vvv rather than vol.py and see if it identifies a windows kernel to use, and then verify whether it found such a symbol table or not. It's possible the memory image was smeared or doesn't have enough information to be able to load the necessary windows information in it. Let me know what the output of vol.py -vvv shows and we can go from there... 5:)

@TheHmadQureshi
Copy link
Author

TheHmadQureshi commented Oct 21, 2019

i did. Here's what i got:

Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO     volatility.framework.automagic: Running automagic: LayerStacker
DEBUG    volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG    volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG    volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG    volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG    volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG    volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG    volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG    volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG    volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG    volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG    volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG    volatility.framework.automagic.windows: DTB was found at: 0x640000
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary.memory_layer
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG    volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility.framework.automagic: Running automagic: WintelHelper
INFO     volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None
DEBUG    volatility.framework.automagic.pdbscan: Kernel base determination - using KDBG structure for kernel offset
DEBUG    volatility.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility.framework.automagic.pdbscan: Kernel base determination - testing fixed base address
DEBUG    volatility.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0x82800000
INFO     volatility.framework.automagic.pdbscan: No suitable kernels found during pdbscan
Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None

Unsatisfied requirement plugins.Info.nt_symbols: Windows kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.nt_symbols']

i think this is where the issue is residing:

Level 9  volatility.framework.configuration.requirements: TypeError - SymbolTableRequirement only accepts string labels: None

How do i change type and what input shall i provide for my memory image .dat file?

Appreciate your help.

@ikelos
Copy link
Member

ikelos commented Oct 21, 2019

Hiya, Thanks for running that! As it turns out, the TypeError is fine and expected, the issue is when the pdbscan automagic tries to determine the kernel base value. At the moment, it tries three different methods, and the third one finds a potential kernel base, but then fails to read that page of memory.

This is actually the same type of trace as seen by @araaj in issue #96. As I said there, my best guess is that the acquisition wasn't successful. If you could produce a memory image that you're happy to make public, then we could try to diagnose the issue further? More than that, I'm not sure how best to help.

Again, it looks as though the .dat file is a normal memory image and can be read ok by volatility when it's intact. I'd need to check a failing file to find out if the layout of the file is different, or there's an issue in vol3 that causes the problem...

@ikelos
Copy link
Member

ikelos commented Nov 4, 2019

So, just to note, I believe the redline .dat format is supported by volatility and there's been no further comments in two weeks, so I'm going to mark this as closed. Feel free to reopen it if you feel the issue is still present... 5:)

@ikelos ikelos closed this as completed Nov 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants