Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to validate the plugin requirements #44

Open
ajmeese7 opened this issue Oct 26, 2022 · 7 comments
Open

Unable to validate the plugin requirements #44

ajmeese7 opened this issue Oct 26, 2022 · 7 comments

Comments

@ajmeese7
Copy link

ajmeese7 commented Oct 26, 2022
edited

Describe the bug

Similar to volatilityfoundation/volatility3#634, I am getting the following error message (with logs for context):

$ python3 vol.py -f /home/aaron/Downloads/HTB/forensics_poof/mem.dmp -vvvv windows.pslist.PsList
Volatility 3 Framework 2.4.0
INFO     volatility3.cli: Volatility plugins path: ['/home/aaron/Documents/CYBER/volatility3/volatility3/plugins', '/home/aaron/Documents/CYBER/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/aaron/Documents/CYBER/volatility3/volatility3/symbols', '/home/aaron/Documents/CYBER/volatility3/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Stacked Elf64Layer using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: Elf64Layer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['Elf64Layer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO     volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']

Context
Volatility Version: Latest
Operating System: ZorinOS 16 Pro
Python Version: 3.9.12
Suspected Operating System: Ubuntu 4.15.0-184
Command: python3 vol.py -f /home/aaron/Downloads/HTB/forensics_poof/mem.dmp -vvvv windows.pslist.PsList

To Reproduce

I tried generating a JSON file with ./dwarf2json linux --system-map ./System.map-4.15.0-184-generic > System.map-4.15.0-184-generic.json and copied System.map-4.15.0-184-generic.json, System.map-4.15.0-184-generic, and module.dwarf to both /volatility3/volatility3/symbols and /volatility3/volatility3/framework/symbols/linux to cover all my bases. Doing so yielded the error message above.

Both of these files had a .txt extension added so they could be uploaded to GitHub, on my system they do not have the extension.

System.map-4.15.0-184-generic.txt
module.dwarf.txt

Expected behavior

I expect the symbols to be detected and to allow me to perform an analysis of the memory dump.

Additional information

I know the mem.dmp file is formatted correctly and I know the System Map and Dwarf files are good, they were all provided by Hack The Box and others have been able to solve this challenge. I'm not sure if there is some incompatibility with Zorin or if I'm just making some silly mistake, but any support that you could provide would be greatly appreciated :)
@digitalisx
Copy link
Contributor

Hello, @ajmeese7
In this situation, it seems necessary to try another command again.
Memory dumps appear to have been dumped on Linux, but attempting to query the Windows process list.
Could you try linux.pslist command?

@ajmeese7
Copy link
Author

ajmeese7 commented Oct 26, 2022
edited

Same issue with the linux command, unfortunately. If it helps, this is the JSON file that was generated with dwarf2json:

System.map-4.15.0-184-generic.json

@ikelos
Copy link
Member

ikelos commented Oct 26, 2022

Hiya, would it be possible to get the output with -vvvv now that you're trying a linux plugin please? It will help us diagnose whether the automagic is finding the linux banner or not.

@ikelos
Copy link
Member

ikelos commented Oct 26, 2022

Please also note that just the System.map is usually not enough to create the structures for the kernel (which volatility needs to know to understand how everything's laid out). It looks as though you only used the system map, without also providing the debug kernel, so volatility could find the actual symbol structures, not just their offsets. There is more detailed documentation over on the dwarf2json site...

@ajmeese7
Copy link
Author

Linux command logs:

$ python3 vol.py -f /home/aaron/Downloads/HTB/forensics_poof/mem.dmp -vvvv linux.pslist.PsList  
Volatility 3 Framework 2.4.0
INFO     volatility3.cli: Volatility plugins path: ['/home/aaron/Documents/CYBER/volatility3/volatility3/plugins', '/home/aaron/Documents/CYBER/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/aaron/Documents/CYBER/volatility3/volatility3/symbols', '/home/aaron/Documents/CYBER/volatility3/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Stacked Elf64Layer using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
INFO     volatility3.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture:Elf64Layer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture:FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['Elf64Layer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']

The dwarf2json documentation is unclear on what to do, I have the module.dwarf file and the System.map-4.15.0-184-generic file but there is no guidance on how to actually use a .dwarf file.

@ikelos ikelos transferred this issue from volatilityfoundation/volatility3 Nov 13, 2022
@ikelos
Copy link
Member

ikelos commented Nov 13, 2022

I've moved this to the dwarf2json project, because it doesn't seem to be a voliatlity issue. If the module.dwarf file is an ELF (as reported by file module.dwarf) then you should just be able to pass it in as dwarf2json linux --elf module.dwarf --system-map System.map-4.15.0-184-generic. If it's not an ELF file, then you'll likely have to convert it, and the people here should know the commands for doing so (and can correct me if I'd gotten something wrong) 5;)

@ilch1
Copy link
Collaborator

ilch1 commented Nov 16, 2022

Creating an ISF using a module.ko is currently prototyped in linux-module-method branch. That branch has documentation for how to do so.

It looks like the module.dwarf.txt that was uploaded in this issue is an ASCII file (not ELF):

$ file module.dwarf.txt
module.dwarf.txt: ASCII text, with very long lines (978)

That will not work with dwarf2json.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ikelos @ilch1 @digitalisx @ajmeese7