Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid kalsr_shift when analyzing mac memory dump #541

Closed
dfeu opened this issue Jul 25, 2021 · 1 comment
Closed

Invalid kalsr_shift when analyzing mac memory dump #541

dfeu opened this issue Jul 25, 2021 · 1 comment

Comments

@dfeu
Copy link

dfeu commented Jul 25, 2021

Describe the bug
A clear and concise description of what the bug is.

Context
Volatility Version: Volatility 3 Framework 1.1.1
Operating System: macOS 11.5
Python Version: 3.9.1
Suspected Operating System: macOS 10.15.7
Command: python3 vol.py -f IMAGE mac.lsof

To Reproduce
Steps to reproduce the behavior:

I try to analyze a dump of macOS 10.15.7 (Kernel Debug Kit 19H1217), but Apple only provides 19H15, so I changed the banner in the json file created by dwarf2json.
the banner plugin provides the correct information, but when I run the above command, I get:

 python3 vol.py -vvvvv -f /Users/dsp/Desktop/catalina_i5_surge.dmp/minis-Mac-mini.lan/20210702122757/memory/data.lime mac.lsof
Volatility 3 Framework 1.1.1
INFO     volatility3.cli: Volatility plugins path: ['/Users/dsp/vol/volatility3/volatility3/plugins', '/Users/dsp/vol/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/Users/dsp/vol/volatility3/volatility3/symbols', '/Users/dsp/vol/volatility3/volatility3/framework/symbols']
Level 7  volatility3.cli: Cache directory used: /Users/dsp/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a mac category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.darwin
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.primary
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.darwin
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.darwin
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.darwin
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof
INFO     volatility3.framework.automagic: Running automagic: MacBannerCache
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.darwin
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using MacIntelStacker
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
DEBUG    volatility3.schemas: Validating JSON against schema...
DEBUG    volatility3.schemas: JSON validated against schema (result cached)
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 554673437
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 554673536
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 556292716
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 556388656
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 745514269
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 745514368
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 747133548
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 747229488
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 938832336
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 950240701
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 950240800
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 956037900
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1174199020
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1174459805
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1174459904
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1738369152
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1738369264
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1738369376
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1739673600
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1739673712
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1739935921
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1739936075
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1739936219
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1739936363
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1739936507
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1758343403
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1762676799
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1763496628
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 1816809904
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 2161065593
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 2213363964
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 4900713136
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5171040689
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5171040843
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5171040987
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5171041131
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5171041275
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5324431679
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5368635883
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5664205184
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5664205296
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5664205408
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5782987260
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5824778496
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5824778608
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5836411697
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5836411851
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5836411995
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5836412139
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5836412283
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 5944533940
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 6070583579
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 6882907563
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 6910780464
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 7714692616
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 8490771072
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 8925681375
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 8954707848
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 9664091421
DEBUG    volatility3.framework.automagic.mac: Identified banner: b'Darwin Kernel Version 19.6.0: Thu May  6 00:48:39 PDT 2021; root:xnu-6153.141.33~1/RELEASE_X86_64'
Level 7  volatility3.framework.automagic.mac: Invalid kalsr_shift found at offset: 9664091520
DEBUG    volatility3.framework.automagic.mac: No suitable mac banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.primary
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: MacSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.darwin
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.darwin

Unsatisfied requirement plugins.Lsof.primary: Kernel Address Space
Unsatisfied requirement plugins.Lsof.darwin: Mac Kernel

A symbol table requirement was not fulfilled.  Please verify that:
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner


A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The necessary symbols are present and identified by volatility3
Unable to validate the plugin requirements: ['plugins.Lsof.primary', 'plugins.Lsof.darwin']

Expected behavior
Correct or more precise output
https://guides.github.com/features/mastering-markdown/
@ikelos
Copy link
Member

ikelos commented Jul 25, 2021

Sorry, that's entirely my mistake, I forgot whilst we were diagnosing this problem that it was using a different symbol table with a jiggered banner because the official KDK isn't available yet. The location of the banner will change, so the kaslr calculations will be wrong. Marking this as closed, sorry for the spam everyone! 5:S

@ikelos ikelos closed this as completed Jul 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikelos @dfeu