Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A symbol table requirement was not fulfilled #1614

Open
snowcapcyber opened this issue Feb 12, 2025 · 4 comments
Open

A symbol table requirement was not fulfilled #1614

snowcapcyber opened this issue Feb 12, 2025 · 4 comments
Labels
needs-more-info

Comments

@snowcapcyber
Copy link

I am trying to analyse a Windows 10 Enterprise 22H2 (19045-5371) and I am getting the following error messages:
Volatility 3 Framework 2.8.0
Progress: 100.00 PDB scanning finished
Unsatisfied requirement plugins.Lsadump.kernel.symbol_table_name:
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Lsadump.kernel.symbol_table_name']
@atcuno
Copy link
Contributor

atcuno commented Feb 12, 2025

Helllo,

We need much more information to diagnose the issue.

  1. How was memory acquired?

  2. Re-run volatility 3 with -vvvvvvv before the plugin name and paste the full command line input/output

  3. Are you on the latest develop commit?

@snowcapcyber
Copy link
Author

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop>git clone https://github.com/volatilityfoundation/volatility3.git
Cloning into 'volatility3'...
remote: Enumerating objects: 42556, done.
remote: Counting objects: 100% (346/346), done.
remote: Compressing objects: 100% (170/170), done.
Receiving objects: 100% (42556/42556), 8.38 MiB | 4.76 MiB/s, done.d 42210 (from 3)

Resolving deltas: 100% (32744/32744), done.

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop>cd volatility3

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3>ls
API_CHANGES.md doc pyproject.toml vol.py volshell.py
CITATION.cff LICENSE.txt README.md vol.spec volshell.spec
development MANIFEST.in test volatility3

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3>python vol.py -vvvv -f ..\raw.raw windows.verinfo.VerInfo
Volatility 3 Framework 2.20.1
INFO volatility3.cli: Volatility plugins path: ['C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\plugins', 'C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\framework\plugins']
INFO volatility3.cli: Volatility symbols path: ['C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\symbols', 'C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3\volatility3\framework\symbols']
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.VerInfo.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.VerInfo
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 36230397951
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address
DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf8000de00000
DEBUG volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf807ca18d000
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - slow scan virtual layer
INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.VerInfo.kernel.symbol_table_name

Unsatisfied requirement plugins.VerInfo.kernel.symbol_table_name:

A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.VerInfo.kernel.symbol_table_name']

C:\Users\Andrew Blyth\OneDrive - Andrew Blyth\Desktop\volatility3>

@eve-mem
Copy link
Contributor

eve-mem commented Feb 13, 2025

A little more context from slack

OS in the sample is Windows 10 Enterprise 22H2 (19045-5371)

Originally wasn't using the latest develop commit, but has tried that now and is getting the same error.

The machine should have 32GB of raw, which matches the size in the logs.

The collection was done with winpmem.

Is trying another image to see if that works. I've also suggested trying surge or dumpit for the collection. To rule out a winpmem issue.

@snowcapcyber
Copy link
Author

I used dumpit to contract a memory dump and when I ran it on volatility I got the same error message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-more-info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atcuno @snowcapcyber @eve-mem