volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected.

Open nathan-out opened this issue 1 year ago • 27 comments

Vol3 is not able to use custom symbol file from a custom linux kernel when I try to run linux.pstree :

Volatility 3 Framework 2.5.0
Progress:  100.00               Stacking attempts finished
Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']

Context Volatility Version: 2.5.0 Operating System: WSL (5.15.133.1-microsoft-standard-WSL2) Python Version: 3.10 Suspected Operating System: custom Linux kernel v5.0.0 (compiled with debugging symbols)

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=c3be7ce373992ef38335c490ef2dc362168d0d23, with debug_info, not stripped

Command: python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw linux.pstree

To Reproduce Steps to reproduce the behavior:

  1. Generate symbol files with ./dwarf2json --elf vmlinux --system-map System.map > output.json
  2. Copy output.json into volatility3/symbols/linux/output.json
  3. Run python3 volatility3-2.5.0/volatility3-2.5.0/vol.py isfinfo
Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

<some windows symbol files>
file:///mnt/d/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json   Unknown 16      5829    83679   863     b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
  1. Run python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw banners
Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished
Offset  Banner

0x1a00080       Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024
0x222b6c0       Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024
  1. Run python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw linux.pstree, then the error described above appears.

Expected behavior Volatility will run as expected.

Example output

INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name

Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']

Here are some extracts from the output.json :

{
  "metadata": {
    "linux": {
      "symbols": [
        {
          "kind": "dwarf",
          "name": "vmlinux",
          "hash_type": "sha256",
          "hash_value": "95957f7c3a0f5e2f5215b1fbf41b24ea4a9ece292584364c8ad18ffdfa10a22a"
        },
        {
          "kind": "symtab",
          "name": "vmlinux",
          "hash_type": "sha256",
          "hash_value": "95957f7c3a0f5e2f5215b1fbf41b24ea4a9ece292584364c8ad18ffdfa10a22a"
        }
      ],
      "types": [
        {
          "kind": "dwarf",
          "name": "vmlinux",
          "hash_type": "sha256",
          "hash_value": "95957f7c3a0f5e2f5215b1fbf41b24ea4a9ece292584364c8ad18ffdfa10a22a"
        }
      ]
    },
    "producer": {
      "name": "dwarf2json",
      "version": "0.7.0"
    },
    "format": "6.2.0"
  },
...
"linux_banner": {
      "type": {
        "count": 0,
        "kind": "array",
        "subtype": {
          "kind": "base",
          "name": "char"
        }
      },
      "address": 18446744071589331072,
      "constant_data": "TGludXggdmVyc2lvbiA1LjAuMCAoYWlnbGVAYWlnbGUpIChnY2MgdmVyc2lvbiA5LjQuMCAoVWJ1bnR1IDkuNC4wLTF1YnVudHUxfjIwLjA0LjEpKSAjMyBGcmkgSmFuIDE5IDE0OjA5OjQ5IENFVCAyMDI0"
    }
    ...

nathan-out avatar Jan 26 '24 09:01 nathan-out

Hi, it looks like you've done everything correctly that i can see, but vol can't work out the intel layer. When you made that memory sample - what tool did you use?

Is it only pstree that doesn't work? I'd assume pslist etc also don't work?

eve-mem avatar Jan 26 '24 09:01 eve-mem

Hi, thanks for your fast response!

The dump is made using the qemu monitor command pmemsave 0 0x20000000 dump.raw.

pslist, bash, pstree and sockstat provides the same error.

nathan-out avatar Jan 26 '24 09:01 nathan-out

Hi, thanks for your fast response!

The dump is made using the qemu monitor command pmemsave 0 0x20000000 dump.raw.

pslist, bash, pstree and sockstat provides the same error.

Hello @nathan-out, may I suggest trying the qemu command dump-guest-memory instead ?

Abyss-W4tcher avatar Jan 26 '24 10:01 Abyss-W4tcher

Any luck @nathan-out ?

eve-mem avatar Jan 30 '24 16:01 eve-mem

Hello I’m currently very busy I will continue my investigation next week sorry for the delay

nathan-out avatar Jan 30 '24 18:01 nathan-out

No worries at all, just shout if you get any more problems.

eve-mem avatar Jan 30 '24 18:01 eve-mem

@Abyss-W4tcher I have both kernel.elf made with dump-guest-memory and kernel.raw with the first command. In both case, volatility doesn't work

nathan-out avatar Feb 07 '24 15:02 nathan-out

Could you try running with -vvvvvvvvvvv, to see if we get more informations ?

Abyss-W4tcher avatar Feb 07 '24 16:02 Abyss-W4tcher

Here is the output, volatility was run on dump.raw file.

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
DEBUG    volatility3.schemas: Validating JSON against schema...
DEBUG    volatility3.schemas: JSON validated against schema (result cached)
Level 7  volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: inet_sock
Level 6  volatility3.framework.automagic.stacker: Traceback (most recent call last):

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\stacker.py", line 213, in stack_layer
    new_layer = stacker.stack(context, initial_layer, progress_callback)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\linux.py", line 72, in stack
    table = linux.LinuxKernelIntermedSymbols(

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\linux\__init__.py", line 47, in __init__
    self.set_type_class("inet_sock", extensions.inet_sock)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 60, in _delegate_function
    return getattr(self._delegate, name)(*args, **kwargs)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 425, in set_type_class
    raise ValueError(f"Symbol type not in {self.name} SymbolTable: {name}")

ValueError: Symbol type not in LintelStacker1 SymbolTable: inet_sock

Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name

Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']

nathan-out avatar Feb 07 '24 17:02 nathan-out

Relevant part seems to be :

Level 7  volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: inet_sock

The symbol type might be missing. Can you please try to generate another ISF, by omitting the System.map file :

./dwarf2json --elf vmlinux  > output.json

Temporarily move out your existing ISF from the Volatility3 symbols directory, and run Volatility3 with --clear-cache to avoid conflicts.

Abyss-W4tcher avatar Feb 07 '24 17:02 Abyss-W4tcher

Here it is:

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mft.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/tcpip.pdb/942CC690894B8899CD5B8607C72A62EA-1.json.xz as b'tcpip.pdb|942CC690894B8899CD5B8607C72A62EA|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kerb_ecrypt.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18362-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-16299-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz as b'ntkrnlmp.pdb|CA8E2F01B822EDE6357898BFBF862997|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pe.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-2003-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/xen.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/generic/qemu.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18363-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pdb.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mbr.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/elf.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json as b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #5 Thu Jan 25 19:03:11 CET 2024\n\x00'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/registry.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-19935-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash_common.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz as b'ntkrnlmp.pdb|68A17FAF3012B7846079AEECDBE0A583|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10240-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10586-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17763-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash32.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-sp12-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-14393-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64-win7.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kdbg.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/F9F3101286B6467CDE2D6C8304D7F43C-1.json.xz as b'ntkrnlmp.pdb|F9F3101286B6467CDE2D6C8304D7F43C|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x86.json
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name

Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']

nathan-out avatar Feb 07 '24 17:02 nathan-out

Ok, this did not solve the issue. The raised error comes from here https://github.com/volatilityfoundation/volatility3/blob/795477e24b666eea7d5f40e5f4dc92f3656f558f/volatility3/framework/symbols/linux/init.py#L48 I think.

The problem might come from the vmlinux not containing the correct things, although inet_sock wasn't renamed/removed in the Linux source tree. This is probably related to the custom kernel, is the source from a non-stable Ubuntu branch ?

Abyss-W4tcher avatar Feb 07 '24 17:02 Abyss-W4tcher

The kernel creator will answer your question and join the issue.

nathan-out avatar Feb 07 '24 17:02 nathan-out

Hi !

I am the kernel builder : this kernel is not an ubuntu release, but a linux kernel build in minimal mode, so I deactivated the network. It is why the inet_sock symbol is not present. Is there any way to do without this symbol ? As this symbol is only useful for some functionalities related to the network.

aiglematth avatar Feb 07 '24 17:02 aiglematth

Hi @aiglematth, you can try patching the Volatility installation here with :

self.optional_set_type_class("inet_sock", extensions.inet_sock)

See https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/linux/init.py#L51 for reference.

Abyss-W4tcher avatar Feb 07 '24 18:02 Abyss-W4tcher

Just a small note - It may be obvious - but without inet_sock some plugins won't work e.g. sockstat. It could probably be patched if things like unix sockets were still there and you needed to analyze them.

eve-mem avatar Feb 08 '24 09:02 eve-mem

I still have the same issue:

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-sp12-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17763-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64-win7.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash32.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18362-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/registry.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10240-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/F9F3101286B6467CDE2D6C8304D7F43C-1.json.xz as b'ntkrnlmp.pdb|F9F3101286B6467CDE2D6C8304D7F43C|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18363-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mbr.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-14393-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pdb.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz as b'ntkrnlmp.pdb|CA8E2F01B822EDE6357898BFBF862997|1'
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-19935-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kerb_ecrypt.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json as b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #5 Thu Jan 25 19:03:11 CET 2024\n\x00'
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz as b'ntkrnlmp.pdb|68A17FAF3012B7846079AEECDBE0A583|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10586-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash_common.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/elf.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pe.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kdbg.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/tcpip.pdb/942CC690894B8899CD5B8607C72A62EA-1.json.xz as b'tcpip.pdb|942CC690894B8899CD5B8607C72A62EA|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/xen.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mft.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-2003-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/generic/qemu.json
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name

Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']

Here is the code I patched:

self.optional_set_type_class("inet_sock", extensions.inet_sock)
self.optional_set_type_class("vsock_sock", extensions.vsock_sock)
self.optional_set_type_class("packet_sock", extensions.packet_sock)
self.optional_set_type_class("bt_sock", extensions.bt_sock)
self.optional_set_type_class("xdp_sock", extensions.xdp_sock)

I also tried to comment all these lines, it's still not working.

With @aiglematth we tried to build a vol2 profile, but any plugin seems to works.

It seems aiglemath have to build a correct Linux kernel (according to Vol). Or, Vol should parse all the optionnary modules before starting.

nathan-out avatar Feb 08 '24 17:02 nathan-out

You now have :

DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched

Is the correct symbol file still present inside Volatility3 Linux symbols directory ?

You can compare banners and isfinfo plugin, like you did in your first comment.

Abyss-W4tcher avatar Feb 08 '24 17:02 Abyss-W4tcher

There is additionnal char at the end of isfinfo (\n\x00)?

Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json      True (cached)   16      5829    83679   863     b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #5 Thu Jan 25 19:03:11 CET 2024\n\x00'

For banners:

Volatility 3 Framework 2.5.0
banners.Banners
Progress:  100.00               PDB scanning finished
Offset  Banner

0x1a00080       Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024
0x222b6c0       Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024

Does the exactly same timestamp is required?

nathan-out avatar Feb 08 '24 17:02 nathan-out

Yes, the whole string must match exactly, no parsing of the version occurs.

ikelos avatar Feb 08 '24 17:02 ikelos

Those different timestamps indicate you are analyzing a sample from an older kernel. Each time a kernel is compiled, even if the source is the same, small differences might occur in produced debug symbols.

You may have created an ISF against a "newer" version of this kernel. If I check your first comment, you should have the correct ISF somewhere though ?

Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

<some windows symbol files>
file:///mnt/d/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json   Unknown 16      5829    83679   863     b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'

Abyss-W4tcher avatar Feb 08 '24 17:02 Abyss-W4tcher

Banners and isfinfo fixed manually. Patching with the code above produce this error:

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
linux.pslist.PsList
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pe.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/registry.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17763-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash_common.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz as b'ntkrnlmp.pdb|CA8E2F01B822EDE6357898BFBF862997|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-2003-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-14393-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/elf.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18363-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kerb_ecrypt.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/generic/qemu.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-sp12-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18362-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json as b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10240-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kdbg.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz as b'ntkrnlmp.pdb|68A17FAF3012B7846079AEECDBE0A583|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/F9F3101286B6467CDE2D6C8304D7F43C-1.json.xz as b'ntkrnlmp.pdb|F9F3101286B6467CDE2D6C8304D7F43C|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pdb.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash32.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/xen.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64-win7.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-19935-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mbr.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mft.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10586-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/tcpip.pdb/942CC690894B8899CD5B8607C72A62EA-1.json.xz as b'tcpip.pdb|942CC690894B8899CD5B8607C72A62EA|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash.json
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
Level 7  volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: inet_sock
Level 6  volatility3.framework.automagic.stacker: Traceback (most recent call last):

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\stacker.py", line 213, in stack_layer
    new_layer = stacker.stack(context, initial_layer, progress_callback)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\linux.py", line 72, in stack
    table = linux.LinuxKernelIntermedSymbols(

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\linux\__init__.py", line 47, in __init__
    self.set_type_class("inet_sock", extensions.inet_sock)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 60, in _delegate_function
    return getattr(self._delegate, name)(*args, **kwargs)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 425, in set_type_class
    raise ValueError(f"Symbol type not in {self.name} SymbolTable: {name}")

ValueError: Symbol type not in LintelStacker1 SymbolTable: inet_sock

Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']

nathan-out avatar Feb 08 '24 17:02 nathan-out

This shouldn't crash, as optional_set_type_class is supposed to catch this error and ignore it.

You have the following patch, if I'm not mistaken ?

diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py
index c4e2587f..adf855a5 100644
--- a/volatility3/framework/symbols/linux/__init__.py
+++ b/volatility3/framework/symbols/linux/__init__.py
@@ -45,7 +45,7 @@ class LinuxKernelIntermedSymbols(intermed.IntermediateSymbolTable):
         self.set_type_class("net", extensions.net)
         self.set_type_class("socket", extensions.socket)
         self.set_type_class("sock", extensions.sock)
-        self.set_type_class("inet_sock", extensions.inet_sock)
+        self.optional_set_type_class("inet_sock", extensions.inet_sock)
         self.set_type_class("unix_sock", extensions.unix_sock)
         # Might not exist in older kernels or the current symbols
         self.optional_set_type_class("netlink_sock", extensions.netlink_sock)

edit: from what I can see :

 File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\linux\__init__.py", line 47, in __init__
    self.set_type_class("inet_sock", extensions.inet_sock)

There seems to be something off ?

Abyss-W4tcher avatar Feb 08 '24 17:02 Abyss-W4tcher

I don't know when that patch made it in, but it might be worth updating to the lastest development snapshot rather than 2.5.0?

ikelos avatar Feb 10 '24 22:02 ikelos

This is a custom patch, suiting their need for a sample from a Linux kernel without network capabilities. It should rightfully ignore the missing symbol error, as they will most likely not need it in their analysis.

Abyss-W4tcher avatar Feb 10 '24 23:02 Abyss-W4tcher

@Abyss-W4tcher Ok you were right it works now!

I had to fix another line. To fix the issue you have to:

  • open this file volatility3-2.5.0\volatility3\framework\symbols\linux\__init__.py
  • modify these lines:
self.set_type_class("inet_sock", extensions.inet_sock)
self.set_type_class("unix_sock", extensions.unix_sock)

into these lines:

self.optional_set_type_class("inet_sock", extensions.inet_sock)
self.optional_set_type_class("unix_sock", extensions.unix_sock)

As future users with the same problem won't read all the messages, I'll summarize the problem. The problem stems from the Volatility assumption that a kernel must have a network module. This was wrong here, as the kernel was really very small. So vol raises an error. To solve this problem, vol needs to be told that the network module is optional.

I have several questions regarding this issue. Why this assumption? If it's possible, perhaps Vol should first check the modules built into the kernel and not trigger a fatal error?

Thanks all for your help, I really appreciated :D

nathan-out avatar Feb 15 '24 18:02 nathan-out