ufrisk/MemProcFS

Unable to initialize MemProcFS

Closed this issue · 4 comments

F:\MemProcFS>MemProcFS.exe -f memory1.raw -loglevel symbol:4
[SYMBOL] Unable to download required debug symbols ntkrnlmp.pdb - manual download possible.
[SYMBOL] Download from:
[SYMBOL] https://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/9F65CD18C2F36F88B2D0CE8A7BFE2BB71/ntkrnlmp.pdb
[SYMBOL] Download to:
[SYMBOL] F:\MemProcFS\Symbols\ntkrnlmp.pdb\9F65CD18C2F36F88B2D0CE8A7BFE2BB71\ntkrnlmp.pdb
[SYMBOL] Functionality may be limited. Extended debug information disabled.
[SYMBOL] Partial offline fallback symbols in use.
[SYMBOL] For additional information use startup option: -loglevel symbol:4
[SYMBOL] Reason: Unable to download kernel symbols to cache from Symbol Server.

[SYMBOL] Initialized symbol subsystem (Microsoft).
[CORE] Initialization Failed. Unable to walk EPROCESS. #5
[CORE] Unable to auto-identify operating system.
Specify PageDirectoryBase (DTB/CR3) in -dtb option if value if known.
If arm64 dump, specify architecture: -arch arm64

[CORE] Failed to initialize.

And the microsoft link only provide: 9F39DC82312E7953F327419E2F9742D944FED8EC0A923FC7F66846C6D6CE5D9C00.blob

I try to relace symbols/ntkrnlmp.pdb/9F65CD18C2F36F88B2D0CE8A7BFE2BB71/ntkrnlmp.pdb by volatility3\symbols\windows\ntkrnlmp.pdb

F:\MemProcFS>MemProcFS.exe -f memory1.raw -loglevel symbol:4
[SYMBOL] Functionality may be limited. Extended debug information disabled.
[SYMBOL] Partial offline fallback symbols in use.
[SYMBOL] For additional information use startup option: -loglevel symbol:4
[SYMBOL] Reason: Unable to download kernel symbols to cache from Symbol Server.

[SYMBOL] Initialized symbol subsystem (Microsoft).
[CORE] Initialization Failed. Unable to walk EPROCESS. #5
[CORE] Unable to auto-identify operating system.
Specify PageDirectoryBase (DTB/CR3) in -dtb option if value if known.
If arm64 dump, specify architecture: -arch arm64

[CORE] Failed to initialize.

So what should I should I do?

I assume you're running on an offline system.

Rename your microsoft downloaded 9F39DC82312E7953F327419E2F9742D944FED8EC0A923FC7F66846C6D6CE5D9C00.blob file to ntkrnlmp.pdb and put it in the requested directory.

Do not use any volatility stuff. Use the microsoft provided file.

I assume you're running on an offline system.

Rename your microsoft downloaded 9F39DC82312E7953F327419E2F9742D944FED8EC0A923FC7F66846C6D6CE5D9C00.blob file to ntkrnlmp.pdb and put it in the requested directory.

Do not use any volatility stuff. Use the microsoft provided file.

image

Still have some problems

If you don't have the latest download of MemProcFS try it, I usually update the info.db file with new offsets after each patch tuesday.

If that doesn't work there may be an issue with MemProcFS, but in order to pinpoint it I'm afraid I'd really require the memory dump. I completely understand if it's not posible to share it. But if it is you may zip it and upload it somewhere and send me the link and I'll take a look.

I'm closing this issue. Since I haven't heard back I assume it's resolved. If not please feel free to contact me with the memory dump that has this error despite this issue being closed.