volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

analysis virtualbox memory dump problem

Open b1gcat opened this issue 7 months ago • 5 comments

Hi sir, I dump virtualbox linux memory to do some analysis. but I encounter some problems:

Step1. In virtualbox debug mode, I save memory to linux.raw

.pgmphystofile                             Save the physical memory to file.

Step2. Try vol3

vol -f linux.raw -vvv linux.psaux.PsAux

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/plugins', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/symbols', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name

Unsatisfied requirement plugins.PsAux.kernel.layer_name:
Unsatisfied requirement plugins.PsAux.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
	The associated translation layer requirement was fulfilled
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsAux.kernel.layer_name', 'plugins.PsAux.kernel.symbol_table_name']

As it says, I miss something(symbol or ...) , so where I can generate the symbols .

thanks. For your information.

b1gcat avatar Nov 06 '23 10:11 b1gcat

Hi @b1gcat

You can make your own ISF using dwarf2json, it's explained here: https://volatility3.readthedocs.io/en/latest/symbol-tables.html

However if its a common version of linux (Ubuntu etc) you might find that @Abyss-W4tcher has already generated one that'll work here: https://github.com/Abyss-W4tcher/volatility3-symbols

Good luck! For community support you might also like the slack channel: https://www.volatilityfoundation.org/slack

eve-mem avatar Nov 06 '23 15:11 eve-mem

@eve-mem thanks.

I try dwarf2json to the kernel

dwarf2json linux --elf linux.elf
Failed linux processing: could not open linux.elf: bad magic number '[83 255 0 240]' in record at byte 0x0

Maybe it's not a debug kernel? Also there is no system.map . By the way I have no right to recompile anything.

I got the banners information to find symbols in https://github.com/Abyss-W4tcher/volatility3-symbols/blob/master/Debian/amd64/6.3.0/0/Debian_6.3.0-0-amd64_6.3.1-1~exp1_amd64.json.xz

Volatility 3 Framework 2.5.0
Progress:  100.00		PDB scanning finished
Offset	Banner

0x32000c0	Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed 
0x38bb1ac	Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed
0x3e5246c8	Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed

got :

 ✘ b1gcat@b1gcat  sym  vol -f ~/Desktop/linux.elf -vvv -s ~/Downloads/sym/ linux.psaux.PsAux
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/plugins', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/Users/b1gcat/Downloads/sym', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/symbols', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
**_DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched_**
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name

Unsatisfied requirement plugins.PsAux.kernel.layer_name:
Unsatisfied requirement plugins.PsAux.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
	The associated translation layer requirement was fulfilled
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsAux.kernel.layer_name', 'plugins.PsAux.kernel.symbol_table_name']

Is there any suggestion to generate the symbols?

b1gcat avatar Nov 07 '23 02:11 b1gcat

@eve-mem thanks.

I try dwarf2json to the kernel

dwarf2json linux --elf linux.elf
Failed linux processing: could not open linux.elf: bad magic number '[83 255 0 240]' in record at byte 0x0

Maybe it's not a debug kernel? Also there is no system.map . By the way I have no right to recompile anything.

I got the banners information to find symbols in https://github.com/Abyss-W4tcher/volatility3-symbols/blob/master/Debian/amd64/6.3.0/0/Debian_6.3.0-0-amd64_6.3.1-1~exp1_amd64.json.xz

Volatility 3 Framework 2.5.0
Progress:  100.00		PDB scanning finished
Offset	Banner

0x32000c0	Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed 
0x38bb1ac	Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed
0x3e5246c8	Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed

got :

 ✘ b1gcat@b1gcat  sym  vol -f ~/Desktop/linux.elf -vvv -s ~/Downloads/sym/ linux.psaux.PsAux
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/plugins', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/Users/b1gcat/Downloads/sym', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/symbols', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
**_DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched_**
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name

Unsatisfied requirement plugins.PsAux.kernel.layer_name:
Unsatisfied requirement plugins.PsAux.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
	The associated translation layer requirement was fulfilled
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsAux.kernel.layer_name', 'plugins.PsAux.kernel.symbol_table_name']

Is there any suggestion to generate the symbols?

Hello, I allow myself to answer your question. The symbol you have chosen from the repository isn't the right one, I think you chose based on the 6.3.0 Debian version of the Linux banner. Instead, you should always check for the Linux version X.Y.Z part + the specific kernel version at the end of the Linux banner.

You can find the banner easily here, with a CTRL+F : https://github.com/Abyss-W4tcher/volatility3-symbols/blob/master/banners/banners_plain.json .

Finally, I suggest that there is a small problem on the banner provided by the Volatility3 plugin banners, as version 4.9.144 doesn't exist in this format, but should instead look like :

Linux version 4.9.0-8-amd64 ([email protected]) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.144-1 (2018-12-30). If you are curious, more info here on the kernel numbering scheme : https://unix.stackexchange.com/questions/509247/debian-linux-kernel-versioning.

If you have access to the VM, try running uname -a and provide us with the output :)

Abyss-W4tcher avatar Nov 07 '23 09:11 Abyss-W4tcher

@eve-mem thanks. I try dwarf2json to the kernel

Thanks, I got it.

By the way i cannot login the vm , as the kernel has some protections(disk encryption, single mode not work ). I guess it's a custormer kernel , I try the following jsons , but all of them failed.

Debian_4.9.0-8-amd64_4.9.144-1_amd64.json.xz	Debian_4.9.0-8-amd64_4.9.144-3.1_amd64.json.xz
Debian_4.9.0-8-amd64_4.9.144-2_amd64.json.xz	Debian_4.9.0-8-amd64_4.9.144-3_amd64.json.xz

well, i am thinking ...

anyway, thank you very much!

b1gcat avatar Nov 07 '23 12:11 b1gcat

If it really is a kernel that's been complied manually rather than from Debian, and no debugging symbols are available then getting it work is a lot more involved unfortunately.

It's worth double checking that the outputs of isfinfo and banners have different output, just to rule out other problems, but as @Abyss-W4tcher points out - it looks like the format you're seeing is different to what's expected for Debian.

eve-mem avatar Nov 07 '23 17:11 eve-mem