28Şub
Volatility: AutoMagic Symbol Table error
I am trying to analyze the .vmem file from HoneyNet challenge 3: Banking Troubles (HoneyNet) using volatility3. But I can't seem to get past this error:
PS C:\Users\<user>\Desktop\HoneyNet\volatility3> python vol.py -f C:\Users\<user>\Desktop\HoneyNet\Bob.vmem -vv windows.pslist.PsList
Volatility 3 Framework 2.0.0
INFO volatility3.cli: Volatility plugins path: ['C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\plugins', 'C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\framework\\plugins']
INFO volatility3.cli: Volatility symbols path: ['C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\symbols', 'C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\framework\\symbols']
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DEBUG volatility3.framework.automagic.windows: DtbSelfRefPae test succeeded at 0x319000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x319000
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0x804d7000
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlpa.pdb\BD8F451F3E754ED8A34B50560CEB08E3-1
INFO volatility3.framework.automagic: Running automagic: KernelModule
WARNING volatility3.framework.plugins: Automagic exception occurred: ValueError: Symbol type not in symbol_table_name1 SymbolTable: _ETHREAD
Unsatisfied requirement plugins.PsList.kernel: Windows kernel
Unable to validate the plugin requirements: ['plugins.PsList.kernel']
I have already downloaded and updated the windows symbol table, from here.
The .vmem file is downloaded from github.
Can anyone give me any sort of clue on how to proceed or anything new I could try?
