波动性: AutoMagic符号表错误
波动性: AutoMagic符号表错误
提问于 2023-02-28 18:36:36
我正在尝试分析来自.vmem挑战性3:使用volatility3的银行故障(HoneyNet)的HoneyNet文件。但我似乎无法克服这个错误:
PS C:\Users\<user>\Desktop\HoneyNet\volatility3> python vol.py -f C:\Users\<user>\Desktop\HoneyNet\Bob.vmem -vv windows.pslist.PsList
Volatility 3 Framework 2.0.0
INFO volatility3.cli: Volatility plugins path: ['C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\plugins', 'C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\framework\\plugins']
INFO volatility3.cli: Volatility symbols path: ['C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\symbols', 'C:\\Users\\<user>\\Desktop\\HoneyNet\\volatility3\\volatility3\\framework\\symbols']
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DEBUG volatility3.framework.automagic.windows: DtbSelfRefPae test succeeded at 0x319000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x319000
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0x804d7000
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlpa.pdb\BD8F451F3E754ED8A34B50560CEB08E3-1
INFO volatility3.framework.automagic: Running automagic: KernelModule
WARNING volatility3.framework.plugins: Automagic exception occurred: ValueError: Symbol type not in symbol_table_name1 SymbolTable: _ETHREAD
Unsatisfied requirement plugins.PsList.kernel: Windows kernel
Unable to validate the plugin requirements: ['plugins.PsList.kernel']我已经从这里。下载并更新了windows符号表。
.vmem文件是从github下载的。
有人能给我提供任何关于如何进行或任何我可以尝试的新事物的线索吗?
回答 1
Security用户
发布于 2023-02-28 19:01:43
由于某种原因,重新替换易挥发符号解决了我的问题。
从上面的链接下载符号文件,提取它,复制并粘贴生成的windows文件夹。
希望这对任何因某种原因而陷入这个问题的人都有帮助。
页面原文内容由Security提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://security.stackexchange.com/questions/268774
复制相关文章
相似问题
腾讯云开发者
