-
-
Save Wenzel/20fa59a05187627987b2866bd4107c25 to your computer and use it in GitHub Desktop.
Volatility fails to extract SSDT table for Windows XP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2020-04-04 19:07:05,283 INFO:root:Connect to Neo4j DB | |
| 2020-04-04 19:07:05,371 INFO:root:Deleting previous OS winxp | |
| 2020-04-04 19:07:05,380 DEBUG:see.environment.Environment:Allocating environment. | |
| 2020-04-04 19:07:05,401 DEBUG:see.hooks.HookManager:Loading hooks.system.OperatingSystemHook hook. | |
| 2020-04-04 19:07:05,401 DEBUG:see.hooks.HookManager:Loading hooks.memory.MemoryDumpHook hook. | |
| 2020-04-04 19:07:05,420 DEBUG:volatility.framework.interfaces.layers:Imported python-magic, autodetecting compressed files based on content | |
| 2020-04-04 19:07:05,429 DEBUG:volatility.cli.text_renderer:Disassembly library capstone not found | |
| 2020-04-04 19:07:05,430 DEBUG:see.hooks.HookManager:Loading hooks.syscall.SyscallTableHook hook. | |
| 2020-04-04 19:07:05,430 DEBUG:see.environment.Environment:Environment successfully allocated. | |
| 2020-04-04 19:07:05,430 INFO:root:Capturing winxp | |
| 2020-04-04 19:07:05,431 INFO:root:Starting the domain | |
| 2020-04-04 19:07:05,501 DEBUG:root:Waiting 10 seconds for desktop to be ready | |
| 2020-04-04 19:07:15,510 INFO:hooks.memory.MemoryDumpHook:Dumping d8e19f1c-dbad-48bd-b647-d4b54a3f3ce3 physical memory to /tmp/tmpl7frbct0/tmpbdzic15s | |
| 2020-04-04 19:07:16,898 Level 6:volatility.framework:Importing from the following paths: /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/plugins, /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/plugins | |
| 2020-04-04 19:07:16,899 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.statistics | |
| 2020-04-04 19:07:16,905 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.registry.certificates | |
| 2020-04-04 19:07:16,939 DEBUG:volatility.framework:Importing module: volatility.plugins.layerwriter | |
| 2020-04-04 19:07:16,940 DEBUG:volatility.framework:Importing module: volatility.plugins.timeliner | |
| 2020-04-04 19:07:16,940 DEBUG:volatility.framework:Importing module: volatility.plugins.frameworkinfo | |
| 2020-04-04 19:07:16,940 DEBUG:volatility.framework:Importing module: volatility.plugins.yarascan | |
| 2020-04-04 19:07:16,941 INFO:volatility.plugins.yarascan:Python Yara module not found, plugin (and dependent plugins) not available | |
| 2020-04-04 19:07:16,941 DEBUG:volatility.framework:No module named 'yara' | |
| 2020-04-04 19:07:16,941 DEBUG:volatility.framework:Failed to import module yarascan based on file: yarascan | |
| 2020-04-04 19:07:16,941 DEBUG:volatility.framework:Importing module: volatility.plugins.configwriter | |
| 2020-04-04 19:07:16,942 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.dlldump | |
| 2020-04-04 19:07:16,943 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.handles | |
| 2020-04-04 19:07:16,944 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.strings | |
| 2020-04-04 19:07:16,944 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.pstree | |
| 2020-04-04 19:07:16,945 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.callbacks | |
| 2020-04-04 19:07:16,948 INFO:volatility.plugins.yarascan:Python Yara module not found, plugin (and dependent plugins) not available | |
| 2020-04-04 19:07:16,948 DEBUG:volatility.framework:No module named 'yara' | |
| 2020-04-04 19:07:16,949 DEBUG:volatility.framework:Failed to import module windows.callbacks based on file: windows/callbacks | |
| 2020-04-04 19:07:16,949 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.pslist | |
| 2020-04-04 19:07:16,949 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.driverscan | |
| 2020-04-04 19:07:16,949 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.mutantscan | |
| 2020-04-04 19:07:16,949 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.psscan | |
| 2020-04-04 19:07:16,949 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.procdump | |
| 2020-04-04 19:07:16,950 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.verinfo | |
| 2020-04-04 19:07:16,953 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.modscan | |
| 2020-04-04 19:07:16,953 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.info | |
| 2020-04-04 19:07:16,953 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.filescan | |
| 2020-04-04 19:07:16,954 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.svcscan | |
| 2020-04-04 19:07:16,954 INFO:volatility.plugins.yarascan:Python Yara module not found, plugin (and dependent plugins) not available | |
| 2020-04-04 19:07:16,954 DEBUG:volatility.framework:No module named 'yara' | |
| 2020-04-04 19:07:16,954 DEBUG:volatility.framework:Failed to import module windows.svcscan based on file: windows/svcscan | |
| 2020-04-04 19:07:16,954 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.dlllist | |
| 2020-04-04 19:07:16,955 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.ssdt | |
| 2020-04-04 19:07:16,955 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.vaddump | |
| 2020-04-04 19:07:16,955 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.vadyarascan | |
| 2020-04-04 19:07:16,955 INFO:volatility.plugins.yarascan:Python Yara module not found, plugin (and dependent plugins) not available | |
| 2020-04-04 19:07:16,955 DEBUG:volatility.framework:No module named 'yara' | |
| 2020-04-04 19:07:16,955 DEBUG:volatility.framework:Failed to import module windows.vadyarascan based on file: windows/vadyarascan | |
| 2020-04-04 19:07:16,955 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.poolscanner | |
| 2020-04-04 19:07:16,956 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.driverirp | |
| 2020-04-04 19:07:16,956 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.moddump | |
| 2020-04-04 19:07:16,956 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.cmdline | |
| 2020-04-04 19:07:16,956 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.malfind | |
| 2020-04-04 19:07:16,956 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.modules | |
| 2020-04-04 19:07:16,956 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.virtmap | |
| 2020-04-04 19:07:16,957 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.vadinfo | |
| 2020-04-04 19:07:16,957 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.symlinkscan | |
| 2020-04-04 19:07:16,957 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.registry.hivescan | |
| 2020-04-04 19:07:16,957 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.registry.printkey | |
| 2020-04-04 19:07:16,957 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.registry.userassist | |
| 2020-04-04 19:07:16,958 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.registry.hivedump | |
| 2020-04-04 19:07:16,958 DEBUG:volatility.framework:Importing module: volatility.plugins.windows.registry.hivelist | |
| 2020-04-04 19:07:16,958 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.check_trap_table | |
| 2020-04-04 19:07:16,960 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.pstree | |
| 2020-04-04 19:07:16,960 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.pslist | |
| 2020-04-04 19:07:16,961 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.lsof | |
| 2020-04-04 19:07:16,961 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.lsmod | |
| 2020-04-04 19:07:16,961 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.tasks | |
| 2020-04-04 19:07:16,961 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.bash | |
| 2020-04-04 19:07:16,962 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.ifconfig | |
| 2020-04-04 19:07:16,963 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.trustedbsd | |
| 2020-04-04 19:07:16,963 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.netstat | |
| 2020-04-04 19:07:16,963 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.check_sysctl | |
| 2020-04-04 19:07:16,963 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.check_syscall | |
| 2020-04-04 19:07:16,963 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.timers | |
| 2020-04-04 19:07:16,964 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.proc_maps | |
| 2020-04-04 19:07:16,964 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.psaux | |
| 2020-04-04 19:07:16,964 DEBUG:volatility.framework:Importing module: volatility.plugins.mac.malfind | |
| 2020-04-04 19:07:16,964 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.pstree | |
| 2020-04-04 19:07:16,965 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.pslist | |
| 2020-04-04 19:07:16,965 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.lsof | |
| 2020-04-04 19:07:16,965 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.lsmod | |
| 2020-04-04 19:07:16,965 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.bash | |
| 2020-04-04 19:07:16,966 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.proc | |
| 2020-04-04 19:07:16,966 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.check_afinfo | |
| 2020-04-04 19:07:16,966 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.check_syscall | |
| 2020-04-04 19:07:16,966 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.malfind | |
| 2020-04-04 19:07:16,967 DEBUG:volatility.framework:Importing module: volatility.plugins.linux.elfs | |
| 2020-04-04 19:07:16,967 DEBUG:hooks.memory.MemoryDumpHook:Plugin failed to load: volatility.plugins.yarascan | |
| 2020-04-04 19:07:16,967 DEBUG:hooks.memory.MemoryDumpHook:Plugin failed to load: volatility.plugins.windows.callbacks | |
| 2020-04-04 19:07:16,967 DEBUG:hooks.memory.MemoryDumpHook:Plugin failed to load: volatility.plugins.windows.svcscan | |
| 2020-04-04 19:07:16,967 DEBUG:hooks.memory.MemoryDumpHook:Plugin failed to load: volatility.plugins.windows.vadyarascan | |
| 2020-04-04 19:07:16,967 Level 6:volatility.framework:Importing from the following paths: /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic | |
| 2020-04-04 19:07:16,967 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.pdbscan | |
| 2020-04-04 19:07:16,968 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.symbol_cache | |
| 2020-04-04 19:07:16,968 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.construct_layers | |
| 2020-04-04 19:07:16,969 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.windows | |
| 2020-04-04 19:07:16,969 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.mac | |
| 2020-04-04 19:07:16,969 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.stacker | |
| 2020-04-04 19:07:16,970 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.symbol_finder | |
| 2020-04-04 19:07:16,970 DEBUG:volatility.framework:Importing module: volatility.framework.automagic.linux | |
| 2020-04-04 19:07:16,970 INFO:hooks.syscall.SyscallTableHook:Extracting the NT syscall table | |
| 2020-04-04 19:07:16,970 INFO:volatility.framework.automagic:Detected a windows category plugin | |
| 2020-04-04 19:07:16,970 INFO:volatility.framework.automagic:Running automagic: ConstructionMagic | |
| 2020-04-04 19:07:16,970 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary | |
| 2020-04-04 19:07:16,970 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:16,970 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary | |
| 2020-04-04 19:07:16,970 Level 9:volatility.framework.automagic.construct_layers:Failed on requirement: plugins.SSDT.primary | |
| 2020-04-04 19:07:16,970 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary | |
| 2020-04-04 19:07:16,971 Level 9:volatility.framework.automagic.construct_layers:Failed on requirement: plugins.SSDT | |
| 2020-04-04 19:07:16,971 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:16,971 Level 9:volatility.framework.automagic.construct_layers:Failed on requirement: plugins.SSDT.nt_symbols | |
| 2020-04-04 19:07:16,971 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:16,971 Level 9:volatility.framework.automagic.construct_layers:Failed on requirement: plugins.SSDT | |
| 2020-04-04 19:07:16,971 INFO:volatility.framework.automagic:Running automagic: WinSwapLayers | |
| 2020-04-04 19:07:16,971 INFO:volatility.framework.automagic:Running automagic: LayerStacker | |
| 2020-04-04 19:07:16,971 Level 6:volatility.framework:Importing from the following paths: /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/layers | |
| 2020-04-04 19:07:16,971 DEBUG:volatility.framework:Importing module: volatility.framework.layers.registry | |
| 2020-04-04 19:07:16,971 DEBUG:volatility.framework:Importing module: volatility.framework.layers.segmented | |
| 2020-04-04 19:07:16,972 DEBUG:volatility.framework:Importing module: volatility.framework.layers.msf | |
| 2020-04-04 19:07:16,972 DEBUG:volatility.framework:Importing module: volatility.framework.layers.vmware | |
| 2020-04-04 19:07:16,972 DEBUG:volatility.framework:Importing module: volatility.framework.layers.physical | |
| 2020-04-04 19:07:16,972 DEBUG:volatility.framework:Importing module: volatility.framework.layers.crash | |
| 2020-04-04 19:07:16,972 DEBUG:volatility.framework:Importing module: volatility.framework.layers.resources | |
| 2020-04-04 19:07:16,972 DEBUG:volatility.framework:Importing module: volatility.framework.layers.lime | |
| 2020-04-04 19:07:16,973 DEBUG:volatility.framework:Importing module: volatility.framework.layers.linear | |
| 2020-04-04 19:07:16,973 DEBUG:volatility.framework:Importing module: volatility.framework.layers.elf | |
| 2020-04-04 19:07:16,973 DEBUG:volatility.framework:Importing module: volatility.framework.layers.intel | |
| 2020-04-04 19:07:16,973 DEBUG:volatility.framework:Importing module: volatility.framework.layers.scanners.multiregexp | |
| 2020-04-04 19:07:16,973 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary | |
| 2020-04-04 19:07:16,973 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:16,974 Level 7:volatility.framework.layers.resources:Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler | |
| 2020-04-04 19:07:16,993 Level 8:volatility.framework.automagic.stacker:Attempting to stack using LimeStacker | |
| 2020-04-04 19:07:16,993 Level 8:volatility.framework.automagic.stacker:Attempting to stack using Elf64Stacker | |
| 2020-04-04 19:07:16,993 Level 6:volatility.framework.symbols.intermed:Searching for symbols in /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/symbols, /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols | |
| 2020-04-04 19:07:16,995 INFO:volatility.schemas:Dependency for validation unavailable: jsonschema | |
| 2020-04-04 19:07:16,995 DEBUG:volatility.schemas:All validations will report success, even with malformed input | |
| 2020-04-04 19:07:16,999 Level 8:volatility.framework.automagic.stacker:Stacked Elf64Layer using Elf64Stacker | |
| 2020-04-04 19:07:16,999 Level 8:volatility.framework.automagic.stacker:Attempting to stack using LimeStacker | |
| 2020-04-04 19:07:16,999 Level 8:volatility.framework.automagic.stacker:Attempting to stack using WindowsCrashDump32Stacker | |
| 2020-04-04 19:07:16,999 Level 8:volatility.framework.automagic.stacker:Attempting to stack using VmwareStacker | |
| 2020-04-04 19:07:16,999 Level 8:volatility.framework.automagic.stacker:Attempting to stack using WintelStacker | |
| 2020-04-04 19:07:17,014 DEBUG:volatility.framework.automagic.windows:DTB was found at: 0x2ec000 | |
| 2020-04-04 19:07:17,014 Level 8:volatility.framework.automagic.stacker:Stacked IntelLayer using WintelStacker | |
| 2020-04-04 19:07:17,014 Level 8:volatility.framework.automagic.stacker:Attempting to stack using LimeStacker | |
| 2020-04-04 19:07:17,014 Level 8:volatility.framework.automagic.stacker:Attempting to stack using WindowsCrashDump32Stacker | |
| 2020-04-04 19:07:17,014 Level 8:volatility.framework.automagic.stacker:Attempting to stack using VmwareStacker | |
| 2020-04-04 19:07:17,014 Level 8:volatility.framework.automagic.stacker:Attempting to stack using MacintelStacker | |
| 2020-04-04 19:07:17,014 Level 8:volatility.framework.automagic.stacker:Attempting to stack using LintelStacker | |
| 2020-04-04 19:07:17,014 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary | |
| 2020-04-04 19:07:17,015 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary | |
| 2020-04-04 19:07:17,015 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:17,015 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary | |
| 2020-04-04 19:07:17,015 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary.memory_layer | |
| 2020-04-04 19:07:17,015 Level 9:volatility.framework.configuration.requirements:IndexError - No configuration provided: plugins.SSDT.primary.memory_layer.base_layer | |
| 2020-04-04 19:07:17,016 Level 6:volatility.framework.symbols.intermed:Searching for symbols in /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/symbols, /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols | |
| 2020-04-04 19:07:17,019 INFO:volatility.schemas:Dependency for validation unavailable: jsonschema | |
| 2020-04-04 19:07:17,019 DEBUG:volatility.schemas:All validations will report success, even with malformed input | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.interfaces.configuration:TypeError - kernel_virtual_offset requirements only accept int type: None | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.interfaces.configuration:TypeError - kernel_virtual_offset requirements only accept int type: None | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.interfaces.configuration:TypeError - kernel_banner requirements only accept str type: None | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.interfaces.configuration:TypeError - kernel_banner requirements only accept str type: None | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.automagic.construct_layers:Failed on requirement: plugins.SSDT.nt_symbols | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:17,022 Level 9:volatility.framework.automagic.construct_layers:Failed on requirement: plugins.SSDT | |
| 2020-04-04 19:07:17,022 DEBUG:volatility.framework.automagic.stacker:Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer'] | |
| 2020-04-04 19:07:17,022 INFO:volatility.framework.automagic:Running automagic: WintelHelper | |
| 2020-04-04 19:07:17,023 INFO:volatility.framework.automagic:Running automagic: KernelPDBScanner | |
| 2020-04-04 19:07:17,023 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:17,023 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:17,023 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:17,023 DEBUG:volatility.framework.automagic.pdbscan:Kernel base determination - using KDBG structure for kernel offset | |
| 2020-04-04 19:07:17,037 Level 6:volatility.framework.symbols.intermed:Searching for symbols in /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/symbols, /home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols | |
| 2020-04-04 19:07:17,038 DEBUG:volatility.framework.automagic.pdbscan:Using symbol library: ntkrpamp.pdb/C40DD53A8D3D4AE3A24CE6BE866649C9-1 | |
| 2020-04-04 19:07:17,068 INFO:volatility.schemas:Dependency for validation unavailable: jsonschema | |
| 2020-04-04 19:07:17,068 DEBUG:volatility.schemas:All validations will report success, even with malformed input | |
| 2020-04-04 19:07:17,069 Level 9:volatility.framework.configuration.requirements:TypeError - SymbolTableRequirement only accepts string labels: None | |
| 2020-04-04 19:07:17,069 WARNING:volatility.framework.plugins:Automagic exception occurred: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD | |
| WARNING volatility.framework.plugins: Automagic exception occurred: ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD | |
| 2020-04-04 19:07:17,069 Level 9:volatility.framework.plugins:Traceback (most recent call last): | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/__init__.py", line 129, in run | |
| automagic(context, config_path, requirement, progress_callback) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/pdbscan.py", line 481, in __call__ | |
| self.recurse_symbol_fulfiller(context, valid_kernels, progress_callback) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/automagic/pdbscan.py", line 224, in recurse_symbol_fulfiller | |
| requirement.construct(context, config_path) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/configuration/requirements.py", line 363, in construct | |
| obj = self._construct_class(context, config_path, args) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/interfaces/configuration.py", line 565, in _construct_class | |
| obj = cls(**requirement_dict) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/windows/__init__.py", line 17, in __init__ | |
| self.set_type_class('_ETHREAD', extensions.ETHREAD) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/intermed.py", line 55, in _delegate_function | |
| return getattr(self._delegate, name)(*args, **kwargs) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/symbols/intermed.py", line 339, in set_type_class | |
| raise ValueError("Symbol type not in {} SymbolTable: {}".format(self.name, name)) | |
| ValueError: Symbol type not in nt_symbols1 SymbolTable: _ETHREAD | |
| 2020-04-04 19:07:17,069 ERROR:hooks.syscall.SyscallTableHook: | |
| Traceback (most recent call last): | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/see/observer.py", line 142, in synchronous | |
| function(event) | |
| File "/home/wenzel/Projets/oswatcher/hooks/syscall.py", line 28, in extract_syscall_table | |
| constructed = plugins.construct_plugin(ctx, automagics, plugin, BASE_CONFIG_PATH, None, None) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/plugins/__init__.py", line 49, in construct_plugin | |
| raise exceptions.UnsatisfiedException(unsatisfied) | |
| volatility.framework.exceptions.UnsatisfiedException | |
| ERROR hooks.syscall.SyscallTableHook: | |
| Traceback (most recent call last): | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/see/observer.py", line 142, in synchronous | |
| function(event) | |
| File "/home/wenzel/Projets/oswatcher/hooks/syscall.py", line 28, in extract_syscall_table | |
| constructed = plugins.construct_plugin(ctx, automagics, plugin, BASE_CONFIG_PATH, None, None) | |
| File "/home/wenzel/Projets/oswatcher/venv/lib/python3.7/site-packages/volatility/framework/plugins/__init__.py", line 49, in construct_plugin | |
| raise exceptions.UnsatisfiedException(unsatisfied) | |
| volatility.framework.exceptions.UnsatisfiedException | |
| 2020-04-04 19:07:17,069 INFO:hooks.memory.MemoryDumpHook:Keeping memory dump at /home/wenzel/Projets/oswatcher/winxp-d8e19f1c-dbad-48bd-b647-d4b54a3f3ce3.dump | |
| 2020-04-04 19:07:18,487 INFO:root:Shutting down the domain | |
| 2020-04-04 19:07:18,691 INFO:root:Inserting OS node winxp | |
| 2020-04-04 19:07:19,807 DEBUG:see.environment.Environment:Deallocating environment. | |
| 2020-04-04 19:07:19,816 DEBUG:see.environment.Environment:Environment successfully deallocated. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment