volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Unsatisfied requirement plugins.Lsof.kernel: Linux kernel

Open ninja2017 opened this issue 3 years ago • 11 comments

Describe the bug A clear and concise description of what the bug is.

Context Volatility Version: Volatility 3 Framework 2.0.0 Operating System: CentOS 8 Linux localhost.localdomain 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Python Version:
Python 3.6.8 (default, Mar 19 2021, 05:13:41) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)] on linux Suspected Operating System: CentOS 8 Linux localhost.localdomain 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux Command:
python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof To Reproduce Steps to reproduce the behavior:

  1. Use command 'python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof '
  2. See error Unsatisfied requirement plugins.Lsof.kernel: Linux kernel Unable to validate the plugin requirements: ['plugins.Lsof.kernel'] Expected behavior A clear and concise description of what you expected to happen. According to the requirements of the symbol table. Screenshots [root@localhost volatility3]# python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof Volatility 3 Framework 2.0.0 INFO volatility3.cli: Volatility plugins path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols'] Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/yarascan.py DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/cachedump.py INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/callbacks.py DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/hashdump.py DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/lsadump.py INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/svcscan.py INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/vadyarascan.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/automagic Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3 INFO volatility3.framework.automagic: Detected a linux category plugin Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols INFO volatility3.framework.automagic.symbol_cache: Building linux caches... Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0 Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False) Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker DEBUG volatility3.framework.automagic.linux: No suitable linux banner could be matched Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer'] INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel

Unsatisfied requirement plugins.Lsof.kernel: Linux kernel Unable to validate the plugin requirements: ['plugins.Lsof.kernel']

Additional information Add any other information about the problem here.

ninja2017 avatar Oct 21 '21 13:10 ninja2017

Hi, did you create the appropriate symbol file for the version of Centos 8 you're trying to analyse? Volatility 3 doesn't yet have a library of linux symbol tables, so without creating that you won't be able to work with the memory image. There's a tool for creating them from a debug kernel using the tool dwarf2json. Please see this documentation for more information. You can see which symbol tables volatility 3 can see using the isfinfo plugins, and you can check what banners are present in the image using the banners plugin...

ikelos avatar Oct 21 '21 21:10 ikelos

Yes, thank you. I create the appropriate symbol file for the version of Centos 8. But there are new problems. [root@localhost volatility3]# python3 vol.py -vvvvvv -f CentOS8.vmem linux.pslist.PsList Volatility 3 Framework 2.0.0 INFO volatility3.cli: Volatility plugins path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols'] Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/yarascan.py DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/cachedump.py INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/callbacks.py DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/hashdump.py DEBUG volatility3.framework: No module named 'Crypto' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/lsadump.py INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/svcscan.py INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: No module named 'yara' DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/vadyarascan.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/automagic Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3 INFO volatility3.framework.automagic: Detected a linux category plugin Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols INFO volatility3.framework.automagic.symbol_cache: Building linux caches... Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0 Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False) Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 4.18.0-305.3.1.el8.x86_64 ([email protected]) (gcc version 8.4.1 20200928 (Red Hat 8.4.1-1) (GCC)) #1 SMP Tue Jun 1 16:14:33 UTC 2021\n\x00' INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ring_buffer DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_pstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!wireless_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!switchdev_ops DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!reset_control DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 1b400000 virtual 35c00000 DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x1da10000 Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 4.18.0-305.3.1.el8.x86_64 ([email protected]) (gcc version 8.4.1 20200928 (Red Hat 8.4.1-1) (GCC)) #1 SMP Tue Jun 1 16:14:33 UTC 2021\n\x00' DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: jar:file:/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols/linux.zip!linux/CentOS8.4.18.0-305.3.1.el8.x86_64.json.xz INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel

PID PPID COMM DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ring_buffer DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_pstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wireless_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!switchdev_ops DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control

DEBUG volatility3.cli: Traceback (most recent call last): File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/cli/init.py", line 333, in run renderersargs.renderer.render(constructed.run()) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/cli/text_renderer.py", line 178, in render grid.populate(visitor, outfd) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/renderers/init.py", line 211, in populate for (level, item) in self._generator: File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/linux/pslist.py", line 55, in _generator pid = task.pid File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 760, in getattr member = template(context = self._context, object_info = object_info) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/templates.py", line 72, in call return self.vol.object_class(context = context, object_info = object_info, **arguments) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 121, in new value = cls._unmarshall(context, data_format, object_info) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 143, in _unmarshall data = context.layers.read(object_info.layer_name, object_info.offset, data_format.length) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read return self[layer].read(offset, length, pad) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/linear.py", line 37, in read for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad): File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 200, in mapping for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(offset, length, ignore_errors): File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 244, in _mapping chunk_offset, page_size, layer_name = self._translate(offset) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 105, in _translate entry, position = self._translate_entry(offset) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 149, in _translate_entry table = self._get_valid_table(base_address) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 170, in _get_valid_table table = self._context.layers.read(self._base_layer, base_address, self.page_size) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read return self[layer].read(offset, length, pad) File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/physical.py", line 144, in read "Offset outside of the buffer boundaries") volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries

Volatility was unable to read a requested page: 0x13b3bf000 in layer memory_layer (Offset outside of the buffer boundaries)

* The base memory file being incomplete (try re-acquiring if possible)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced

ninja2017 avatar Oct 25 '21 01:10 ninja2017

I think "symbol file" is still incorrect. But I don't know what went wrong. system-map vmlinux kernel-info

ninja2017 avatar Oct 25 '21 01:10 ninja2017

banner isinfo

ninja2017 avatar Oct 25 '21 02:10 ninja2017

Thanks, it looks like the symbols are present now and it's detecting the right version of linux and using that JSON file, but the intel memory map seems to be pointing to somewhere outside of the bounds of the physical memory image. Unfortunately this suggests either:

  • an issue with the memory image itself, which is unusual but can happen
  • that the JSON file has symbols which point to the wrong locations and so is throwing off volatility's ability to determine where certain structures are in memory
  • that it's misdetected the location of the kernel and/or one of the ASLR shifts required to make them all match up.

Unfortunately, it's not clear how to figure out which of those issues is the problem. Might be one for @atcuno to help diagnose?

Volatility was unable to read a requested page:
0x13b3bf000 in layer memory_layer (Offset outside of the buffer boundaries)

ikelos avatar Oct 25 '21 08:10 ikelos

I used the same method for centos7 and found the following error

Level 8 volatility3.framework.automagic.symbol_cache: Caching file jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/centos7.3.10.json.xz failed due to JSON error Level 8 volatility3.framework.automagic.symbol_cache: Caching file jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/centos7-3.10.json.xz failed due to JSON error INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0

ninja2017 avatar Oct 26 '21 11:10 ninja2017

Thanks, would you be able to attach either of centos7.3.10.json.xz or centos7-3.10.json.xz so we can take a look at what's going on. That looks like a separate issue, rather than something related this one...

ikelos avatar Oct 27 '21 00:10 ikelos

I found that I didn't have enough memory, so I didn't complete "Symbols". But there are still problems with centos7. (base) [root@localhost volatility3]# python vol.py -vvvvvv -f CentOS7-1160.vmem linux.pslist.PsList Volatility 3 Framework 2.0.0 INFO volatility3.cli: Volatility plugins path: ['/root/dwarf2json/volatility3/volatility3/plugins', '/root/dwarf2json/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/root/dwarf2json/volatility3/volatility3/symbols', '/root/dwarf2json/volatility3/volatility3/framework/symbols'] Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/plugins, /root/dwarf2json/volatility3/volatility3/framework/plugins Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/automagic Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3 INFO volatility3.framework.automagic: Detected a linux category plugin Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /root/dwarf2json/volatility3/volatility3/symbols, /root/dwarf2json/volatility3/volatility3/framework/symbols INFO volatility3.framework.automagic.symbol_cache: Building linux caches... Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0 Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False) Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 3.10.0-1160.31.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Thu Jun 10 13:32:12 UTC 2021\n\x00' DEBUG volatility3.schemas: Validating JSON against schema... DEBUG volatility3.schemas: JSON validated against schema (result cached) DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!slab DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!css_id DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sock_fprog_kern DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_ct_event_notifier DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_exp_event_notifier DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nft_af_info DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dn_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!forwarding_accel_ops DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!wpan_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sysfs_dirent DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dn_route DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ip_vs_sync_buff DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tcp_states_t DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_tstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!res_counter DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nfs4_lock_state DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nlm_lockowner DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 4777f000 virtual 0 DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x4938f000 Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 3.10.0-1160.31.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Thu Jun 10 13:32:12 UTC 2021\n\x00' DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/Centos7.1061.json.xz INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel

PID PPID COMM DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!slab DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!css_id DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sock_fprog_kern DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_ct_event_notifier DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_exp_event_notifier DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nft_af_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dn_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!forwarding_accel_ops DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wpan_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sysfs_dirent DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dn_route DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ip_vs_sync_buff DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tcp_states_t DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_tstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!res_counter DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nfs4_lock_state DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nlm_lockowner

Symbols.zip

ninja2017 avatar Oct 27 '21 03:10 ninja2017

Well, it's correctly identifying the symbols, so it could be that the ASLR shift is coming out wrong, but again, I think this is into territory best covered by @atcuno at this point...

ikelos avatar Oct 27 '21 07:10 ikelos

@ninja2017 can you share the memory samples from this issue? Also, I see that you have a .vmem extension. Is this from a VMware snapshot or suspended state? If so, is the accompanying .vmss file in the directory?

atcuno avatar Mar 15 '22 21:03 atcuno

@atcuno We now log whether a VMSS/VMSN was present, neither was there with this image:

Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)

ikelos avatar Mar 16 '22 00:03 ikelos

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Oct 21 '23 01:10 github-actions[bot]

This issue was closed because it has been inactive for 60 days since being marked as stale.

github-actions[bot] avatar Dec 21 '23 01:12 github-actions[bot]