Abyss-W4tcher

Results 111 comments of Abyss-W4tcher

Volatility can't match the memory dump file (MacOS Monterey 12.6 build 21G115) to the symbol table created

This structure was removed from the kernel, as well as many related `vm_map` ones. The old/new versions are here : - https://github.com/apple-open-source/macos/blob/12.0.1/xnu/osfmk/vm/vm_map.h#L140 - https://github.com/apple-open-source/macos/blob/14.3/xnu/osfmk/vm/vm_map.h#L239 Here is an article brieflly talking...

Volatility can't match the memory dump file (MacOS Monterey 12.6 build 21G115) to the symbol table created

Hi, I will propose a patch in a PR soon, it's only in my fork right now. I inform any dev here, to avoid potentially duplicating the same work 😃

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

> Hi, thanks for your fast response! > > The dump is made using the qemu monitor command `pmemsave 0 0x20000000 dump.raw`. > > `pslist, bash, pstree and sockstat` provides...

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

Could you try running with `-vvvvvvvvvvv`, to see if we get more informations ?

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

Relevant part seems to be : ``` Level 7 volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: inet_sock ``` The symbol type might be missing. Can you please...

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

Ok, this did not solve the issue. The raised error comes from here https://github.com/volatilityfoundation/volatility3/blob/795477e24b666eea7d5f40e5f4dc92f3656f558f/volatility3/framework/symbols/linux/__init__.py#L48 I think. The problem might come from the vmlinux not containing the correct things, although `inet_sock`...

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

Hi @aiglematth, you can try patching the Volatility installation [here](https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/linux/__init__.py#L48) with : ```sh self.optional_set_type_class("inet_sock", extensions.inet_sock) ``` See https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/linux/__init__.py#L51 for reference.

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

You now have : ``` DEBUG volatility3.framework.automagic.linux: No suitable linux banner could be matched ``` Is the correct symbol file still present inside Volatility3 Linux symbols directory ? You can...

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

Those different timestamps indicate you are analyzing a sample from an older kernel. Each time a kernel is compiled, even if the source is the same, small differences might occur...

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

This shouldn't crash, as `optional_set_type_class` is supposed to catch this error and ignore it. You have the following patch, if I'm not mistaken ? ```patch diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py index...