volatility3
volatility3 copied to clipboard
volatilityfoundation
Linux samples without `module_sect_attr` symbol
Describe the bug I have built a volatility profile for a Target NixOS 25.05 (Kernel 6.15.7) with dwarf2json. I am able to run pslist, psscan and bash history plugins on volatility3 v2.11.0. This version is working fine, except for Malfind and PsTree.
So I have decided to switch to a newer version v2.26.2. With this version, I have this bug message with the same symbols generated by dwarf2json: Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']
I have acquired memory dump with three different versions of AVML: 0.14.0, 0.15.0 and 0.16.0
Context Volatility Version: 2.26.2 Operating System: NixOS 25.05 Python Version: Python 3.12.11 Suspected Operating System: NixOS 25.05 Command: vol --clear-cache -vvvv -s symbols/ -f memory_avml_0.dmp linux.pslist
To Reproduce Steps to reproduce the behavior:
- Use command : vol --clear-cache -vvvv -s symbols/ -f memory_avml_0.dmp linux.pslist
- See error
Expected behavior When I run the command pslist, I should see the process list.
Example output Command: vol --clear-cache -vvvv -s symbols/ -f memory_avml_0.dmp linux.pslist
On version v2.26.2
Volatility 3 Framework 2.26.2
INFO volatility3.cli: Volatility plugins path: ['/nix/store/qv0jybpalspswcl8jfk4fpx6x1z9khjx-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/plugins', '/nix/store/qv0jybpalspswcl8jfk4fpx6x1z9khjx-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/[REDACTED]/projects/memory_analysis/ram_test/symbols', '/nix/store/qv0jybpalspswcl8jfk4fpx6x1z9khjx-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/symbols', '/nix/store/qv0jybpalspswcl8jfk4fpx6x1z9khjx-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/symbols']
DEBUG volatility3.plugins.yarascan: Using yara-python module
INFO volatility3.framework.automagic: Detected a linux category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 2 volatility3.framework.automagic.symbol_cache: Identified file:///home/[REDACTED]/projects/memory_analysis/ram_test/symbols/6.15.7-kernel.json as b'Linux version 6.15.7 (nixbld@localhost) (gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Jul 17 16:44:05 UTC 2025\n\x00'
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelVMCOREINFOStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.15.7 (nixbld@localhost) (gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Jul 17 16:44:05 UTC 2025\n\x00'
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.15.7 (nixbld@localhost) (gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Jul 17 16:44:05 UTC 2025\n\x00'
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 33751351419
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']
On v2.11.0 (the good versionà
Volatility 3 Framework 2.11.0
INFO volatility3.cli: Volatility plugins path: ['/nix/store/07drhm6d3yflz6xvszwx9q3lcqwv49c7-volatility3-2.11.0/lib/python3.12/site-packages/volatility3/plugins', '/nix/store/07drhm6d3yflz6xvszwx9q3lcqwv49c7-volatility3-2.11.0/lib/python3.12/site-packages/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/[REDACTED]/projects/memory_analysis/ram_test/symbols', '/nix/store/07drhm6d3yflz6xvszwx9q3lcqwv49c7-volatility3-2.11.0/lib/python3.12/site-packages/volatility3/symbols', '/nix/store/07drhm6d3yflz6xvszwx9q3lcqwv49c7-volatility3-2.11.0/lib/python3.12/site-packages/volatility3/framework/symbols']
DEBUG volatility3.plugins.yarascan: Using yara-python module
INFO volatility3.framework.automagic: Detected a linux category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 2 volatility3.framework.automagic.symbol_cache: Identified file:///home/[REDACTED]/projects/memory_analysis/ram_test/symbols/6.15.7-kernel.json as b'Linux version 6.15.7 (nixbld@localhost) (gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Jul 17 16:44:05 UTC 2025\n\x00'
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.15.7 (nixbld@localhost) (gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Jul 17 16:44:05 UTC 2025\n\x00'
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats_rsn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phy_led_trigger
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pse_control
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phy_package_shared
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dsa_8021q_context
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!rfkill
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!uapi_definition
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!hw_stats_device_data
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!rdma_restrack_root
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_gid_table
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_pkey_cache
DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 5e44c3000 virtual a600000
DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x5e74e7000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer.base_layer
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 33751351419
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 6.15.7 (nixbld@localhost) (gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Jul 17 16:44:05 UTC 2025\n\x00'
DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/[REDACTED]/projects/memory_analysis/ram_test/symbols/6.15.7-kernel.json
INFO volatility3.framework.automagic: Running automagic: KernelModule
OFFSET (V) PID TID PPID COMM CREATION TIME File output
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phy_led_trigger
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pse_control
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phy_package_shared
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!rfkill
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!uapi_definition
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!hw_stats_device_data
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!rdma_restrack_root
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_gid_table
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_pkey_cache
0x8beac4b9cd00 1 1 0 systemd 2025-09-29 09:57:01.121289 UTC Disabled
0x8beac4b98000 2 2 0 kthreadd 2025-09-29 09:57:01.121289 UTC Disabled
0x8beac4b9e040 3 3 2 pool_workqueue_ 2025-09-29 09:57:01.121289 UTC Disabled
0x8beac4b99340 4 4 2 kworker/R-rcu_g 2025-09-29 09:57:01.121289 UTC Disabled
0x8beac4b9a680 5 5 2 kworker/R-sync_ 2025-09-29 09:57:01.121289 UTC Disabled
0x8beac4b9b9c0 6 6 2 kworker/R-kvfre 2025-09-29 09:57:01.121289 UTC Disabled
0x8beac4bb6040 7 7 2 kworker/R-slub_ 2025-09-29 09:57:01.121289 UTC Disabled
....
I will try to setup a virtual machine with the good OS version and kernel version. I will reproduce the same steps for the analysis.
How should I provide you with the sample ?
Here the link to download samples: https://drive.google.com/file/d/1xt6PE5GEslNtQSPRr_-MB8u_rMmhMigv/view?usp=sharing
There are:
- Three images for different kernel versions : 6.12.49, 6.15.7 and 6.16.9 (acquired with AVML version 0.15.0)
- Target host: NixOS 25.05 (with different kernel versions)
- old_symbols folder: dwarf generated with dwarf2json 0.9.0
- symbols: generated with dwarf2json from main branch
Weirdly 2.26.2 works only for 6.12.49 And 2.11.0 works for every versions (except sometimes pstree and malfind)
I have run volatility with "-vvvvvvvv" option to have full debug. I have a stacktrace (volatility 2.26.2 and kernel 6.16.9 and 6.15.7):
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.16.9 (nixbld@localhost) (gcc (GCC) 14.3.0, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 25 09:16:54 UTC 2025\n\x00'
DETAIL 3 volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: module_sect_attr
DETAIL 4 volatility3.framework.automagic.stacker: Traceback (most recent call last):
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/automagic/stacker.py", line 218, in stack_layer
new_layer = stacker.stack(context, initial_layer, progress_callback)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/automagic/linux.py", line 337, in stack
table = linux.LinuxKernelIntermedSymbols(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/symbols/linux/__init__.py", line 55, in __init__
self.set_type_class("module_sect_attr", extensions.module_sect_attr)
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/symbols/intermed.py", line 60, in _delegate_function
return getattr(self._delegate, name)(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/symbols/intermed.py", line 443, in set_type_class
raise ValueError(f"Symbol type not in {self.name} SymbolTable: {name}")
ValueError: Symbol type not in LintelStacker1 SymbolTable: module_sect_attr
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.16.9 (nixbld@localhost) (gcc (GCC) 14.3.0, GNU ld (GNU Binutils) 2.44) #1-NixOS SMP PREEMPT_DYNAMIC Thu Sep 25 09:16:54 UTC 2025\n\x00'
DETAIL 3 volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: module_sect_attr
DETAIL 4 volatility3.framework.automagic.stacker: Traceback (most recent call last):
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/automagic/stacker.py", line 218, in stack_layer
new_layer = stacker.stack(context, initial_layer, progress_callback)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/automagic/linux.py", line 58, in stack
table = linux.LinuxKernelIntermedSymbols(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/symbols/linux/__init__.py", line 55, in __init__
self.set_type_class("module_sect_attr", extensions.module_sect_attr)
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/symbols/intermed.py", line 60, in _delegate_function
return getattr(self._delegate, name)(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/vqmbs79mbq3abrhg47h4wq3jd4d1s5v2-volatility3-2.26.2/lib/python3.12/site-packages/volatility3/framework/symbols/intermed.py", line 443, in set_type_class
raise ValueError(f"Symbol type not in {self.name} SymbolTable: {name}")
ValueError: Symbol type not in LintelStacker1 SymbolTable: module_sect_attr
So this is saying that it found the ISF and loaded it, but that a symbol it was expecting to be there module_sect_attr was not. This was noted during the pull request that added this as a strict requirement for symbol tables, but it was asserted that this was always present: https://github.com/volatilityfoundation/volatility3/pull/1740/files#r2015136979
@atcuno it looks like we've found some example where this isn't the case. Any chance you could look into this please?
This should be fixed by: https://github.com/volatilityfoundation/volatility3/pull/1773
