Got error "Unable to validate the plugin requirements: ['plugins.Bash.kernel']" while analyzing dumped memory of macOS 12.1_21C52

[PeterQi]

Describe the bug Got error Unable to validate the plugin requirements: ['plugins.Bash.kernel'] while analyzing dumped memory of macOS 12.1_21C52

Context Volatility Version: Volatility 3 Framework 2.0.0 Operating System: Windows Python Version: Python 3.8.5 Suspected Operating System: macOS 12.1_21C52 Command: python3 vol.py -f ..\memorydmp\memory.dmp mac.bash.Bash

To Reproduce Steps to reproduce the behavior:

1. Use command 'python3 vol.py -f ../memory.dmp mac.bash.Bash'
2. See error:

Unsatisfied requirement plugins.Bash.kernel: Kernel module for the OS Unable to validate the plugin requirements: ['plugins.Bash.kernel']

Expected behavior Some bash history commands should appear and there should not be error.

Screenshots

Additional information I produced the json file by command ./dwarf2json mac --macho /Library/Developer/KDKs/KDK_12.1_21C52.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel --macho-symbols /Library/Developer/KDKs/KDK_12.1_21C52.kdk/System/Library/Kernels/kernel and then put it into directory 'volatility3\symbols\mac'. The result of isfinfo plugin showed that the json file could be loaded successfully.

python3 vol.py -f ..\memorydmp\memory.dmp isfinfo.IsfInfo Volatility 3 Framework 2.0.0 Progress: 100.00 PDB scanning finished URI Valid Number of base_types Number of types Number of symbols Number of enums Windows info Linux banner Mac banner file:///D:/Project/2022/Volatility/volatility3/volatility3/symbols/mac/Kernel_Debug_Kit_12.1_build_21C52.dmg.json Unknown 19 6886 62945 369 - - Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 ......

The result of banners plugin showed that the dumped memory matched the json file version:

PS D:\Project\2022\Volatility\volatility3> python3 vol.py -f ..\memorydmp\memory.dmp banners.Banners Volatility 3 Framework 2.0.0 Progress: 100.00 PDB scanning finished Offset Banner 0x275f52d Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x275f590 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x2cd9774 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0xf35f52d Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0xf35f590 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0xf8d9774 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x1535f52d Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x1535f590 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x158d9774 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x1975f52d Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x1975f590 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64 0x19cd9774 Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64

If I ran vol.py with vvvvvvv, I got following result:

PS D:\Project\2022\Volatility\volatility3> python3 vol.py -vvvvvvv -f ..\memorydmp\memory.dmp mac.bash.Bash Volatility 3 Framework 2.0.0 INFO volatility3.cli: Volatility plugins path: ['D:\Project\2022\Volatility\volatility3\volatility3\plugins', 'D:\Project\2022\Volatility\volatility3\volatility3\framework\plugins'] INFO volatility3.cli: Volatility symbols path: ['D:\Project\2022\Volatility\volatility3\volatility3\symbols', 'D:\Project\2022\Volatility\volatility3\volatility3\framework\symbols'] Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\plugins, D:\Project\2022\Volatility\volatility3\volatility3\framework\plugins Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\automagic Level 7 volatility3.cli: Cache directory used: C:\Users\snowqizhang.cache\volatility3 INFO volatility3.framework.automagic: Detected a mac category plugin Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None INFO volatility3.framework.automagic: Running automagic: SymbolBannerCache INFO volatility3.framework.automagic: Running automagic: MacBannerCache Level 6 volatility3.framework.symbols.intermed: Searching for symbols in D:\Project\2022\Volatility\volatility3\volatility3\symbols, D:\Project\2022\Volatility\volatility3\volatility3\framework\symbols INFO volatility3.framework.automagic.symbol_cache: Building mac caches... Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler Level 8 volatility3.framework.automagic.symbol_cache: Caching banner b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' for file file:///D:/Project/2022/Volatility/volatility3/volatility3/symbols/mac/Kernel_Debug_Kit_12.1_build_21C52.dmg.json INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 6 volatility3.framework: Importing from the following paths: D:\Project\2022\Volatility\volatility3\volatility3\framework\layers Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x3020100 at file offset 0x0 Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker Level 8 volatility3.framework.automagic.stacker: Attempting to stack using MacIntelStacker DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' DEBUG volatility3.schemas: Validating JSON against schema... DEBUG volatility3.schemas: JSON validated against schema (result cached) Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 41284909 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 1c10000 Level 6 volatility3.framework.automagic.mac: Skipping invalid idlepml4_ptr: 0xffffff80029df9e8 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 47028084 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 255194413 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: e810000 Level 6 volatility3.framework.automagic.mac: Skipping invalid idlepml4_ptr: 0xffffff800f5df9e8 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 260937588 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 355857709 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 14810000 Level 6 volatility3.framework.automagic.mac: Skipping invalid idlepml4_ptr: 0xffffff80155df9e8 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 361600884 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 427160877 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 18c10000 Level 6 volatility3.framework.automagic.mac: Skipping invalid idlepml4_ptr: 0xffffff80199df9e8 DEBUG volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 21.2.0: Sun Nov 28 20:28:54 PST 2021; root:xnu-8019.61.5~1/RELEASE_X86_64\x00' Level 6 volatility3.framework.automagic.mac: Mac find_aslr returned: 0 Level 7 volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 432904052 DEBUG volatility3.framework.automagic.mac: No suitable mac banner could be matched Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer'] INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: MacSymbolFinder Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel Unsatisfied requirement plugins.Bash.kernel: Kernel module for the OS Unable to validate the plugin requirements: ['plugins.Bash.kernel']

It seems that there is something wrong with find_aslr as the result reported that Invalid kalsr_shift found. I'm really sorry that I'm not permitted to share the memory image that may contain some sensitive data of my company. Thanks for helping!

[atcuno]

Hello, I have two questions:

1. How is memory being acquired?

2. Can you please run pslist and lsmod and report if they produce output?

[github-actions[bot]]

This issue is stale because it has been open for 200 days with no activity.

[github-actions[bot]]

This issue was closed because it has been inactive for 60 days since being marked as stale.