Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsatisfied requirement plugins.Lsof.kernel: Linux kernel #583

Closed
ghost opened this issue Oct 21, 2021 · 13 comments
Closed

Unsatisfied requirement plugins.Lsof.kernel: Linux kernel #583

ghost opened this issue Oct 21, 2021 · 13 comments
Assignees
@atcuno
Labels
needs-more-info stale

Comments

@ghost
Copy link

ghost commented Oct 21, 2021

Describe the bug
A clear and concise description of what the bug is.

Context
Volatility Version: Volatility 3 Framework 2.0.0
Operating System: CentOS 8
Linux localhost.localdomain 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Python Version:
Python 3.6.8 (default, Mar 19 2021, 05:13:41)
[GCC 8.4.1 20200928 (Red Hat 8.4.1-1)] on linux
Suspected Operating System: CentOS 8
Linux localhost.localdomain 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Command:
python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof
To Reproduce
Steps to reproduce the behavior:

  1. Use command 'python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof '
  2. See error
    Unsatisfied requirement plugins.Lsof.kernel: Linux kernel
    Unable to validate the plugin requirements: ['plugins.Lsof.kernel']
    Expected behavior
    A clear and concise description of what you expected to happen.
    According to the requirements of the symbol table.
    Screenshots
    [root@localhost volatility3]# python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof
    Volatility 3 Framework 2.0.0
    INFO volatility3.cli: Volatility plugins path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins']
    INFO volatility3.cli: Volatility symbols path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols']
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins
    INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
    DEBUG volatility3.framework: No module named 'yara'
    DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/yarascan.py
    DEBUG volatility3.framework: No module named 'Crypto'
    DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/cachedump.py
    INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
    DEBUG volatility3.framework: No module named 'yara'
    DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/callbacks.py
    DEBUG volatility3.framework: No module named 'Crypto'
    DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/hashdump.py
    DEBUG volatility3.framework: No module named 'Crypto'
    DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/lsadump.py
    INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
    DEBUG volatility3.framework: No module named 'yara'
    DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/svcscan.py
    INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
    DEBUG volatility3.framework: No module named 'yara'
    DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
    INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/automagic
    Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3
    INFO volatility3.framework.automagic: Detected a linux category plugin
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.layer_name
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
    Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.symbol_table_name
    Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
    Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
    Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
    INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache
    Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols
    INFO volatility3.framework.automagic.symbol_cache: Building linux caches...
    Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
    INFO volatility3.framework.automagic: Running automagic: LayerStacker
    Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
    Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
    Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
    Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
    Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
    Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
    Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
    Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
    Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)
    Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
    DEBUG volatility3.framework.automagic.linux: No suitable linux banner could be matched
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
    Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
    DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
    INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
    Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
    INFO volatility3.framework.automagic: Running automagic: KernelModule
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
    Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel

Unsatisfied requirement plugins.Lsof.kernel: Linux kernel
Unable to validate the plugin requirements: ['plugins.Lsof.kernel']

Additional information
Add any other information about the problem here.
@ikelos
Copy link
Member

ikelos commented Oct 21, 2021

Hi, did you create the appropriate symbol file for the version of Centos 8 you're trying to analyse? Volatility 3 doesn't yet have a library of linux symbol tables, so without creating that you won't be able to work with the memory image. There's a tool for creating them from a debug kernel using the tool dwarf2json. Please see this documentation for more information. You can see which symbol tables volatility 3 can see using the isfinfo plugins, and you can check what banners are present in the image using the banners plugin...

@ghost
Copy link
Author

ghost commented Oct 25, 2021

Yes, thank you. I create the appropriate symbol file for the version of Centos 8. But there are new problems.
[root@localhost volatility3]# python3 vol.py -vvvvvv -f CentOS8.vmem linux.pslist.PsList
Volatility 3 Framework 2.0.0
INFO volatility3.cli: Volatility plugins path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols']
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/yarascan.py
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/cachedump.py
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/callbacks.py
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/hashdump.py
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/lsadump.py
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/svcscan.py
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/automagic
Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3
INFO volatility3.framework.automagic: Detected a linux category plugin
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 4.18.0-305.3.1.el8.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.4.1 20200928 (Red Hat 8.4.1-1) (GCC)) #1 SMP Tue Jun 1 16:14:33 UTC 2021\n\x00'
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ring_buffer
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_pstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!wireless_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!switchdev_ops
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 1b400000 virtual 35c00000
DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x1da10000
Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 4.18.0-305.3.1.el8.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.4.1 20200928 (Red Hat 8.4.1-1) (GCC)) #1 SMP Tue Jun 1 16:14:33 UTC 2021\n\x00'
DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: jar:file:/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols/linux.zip!linux/CentOS8.4.18.0-305.3.1.el8.x86_64.json.xz
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel

PID PPID COMM
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ring_buffer
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_pstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wireless_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!switchdev_ops
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control

DEBUG volatility3.cli: Traceback (most recent call last):
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/cli/init.py", line 333, in run
renderersargs.renderer.render(constructed.run())
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/cli/text_renderer.py", line 178, in render
grid.populate(visitor, outfd)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/renderers/init.py", line 211, in populate
for (level, item) in self._generator:
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/linux/pslist.py", line 55, in _generator
pid = task.pid
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 760, in getattr
member = template(context = self._context, object_info = object_info)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/templates.py", line 72, in call
return self.vol.object_class(context = context, object_info = object_info, **arguments)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 121, in new
value = cls._unmarshall(context, data_format, object_info)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 143, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, data_format.length)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read
return self[layer].read(offset, length, pad)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/linear.py", line 37, in read
for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 200, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(offset, length, ignore_errors):
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 244, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 105, in _translate
entry, position = self._translate_entry(offset)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 149, in _translate_entry
table = self._get_valid_table(base_address)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 170, in _get_valid_table
table = self._context.layers.read(self._base_layer, base_address, self.page_size)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read
return self[layer].read(offset, length, pad)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/physical.py", line 144, in read
"Offset outside of the buffer boundaries")
volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries

Volatility was unable to read a requested page:
0x13b3bf000 in layer memory_layer (Offset outside of the buffer boundaries)

* The base memory file being incomplete (try re-acquiring if possible)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced

@ghost
Copy link
Author

ghost commented Oct 25, 2021

I think "symbol file" is still incorrect. But I don't know what went wrong.
system-map
vmlinux
kernel-info

@ghost
Copy link
Author

ghost commented Oct 25, 2021

banner
isinfo

@ikelos
Copy link
Member

ikelos commented Oct 25, 2021

Thanks, it looks like the symbols are present now and it's detecting the right version of linux and using that JSON file, but the intel memory map seems to be pointing to somewhere outside of the bounds of the physical memory image. Unfortunately this suggests either:

  • an issue with the memory image itself, which is unusual but can happen
  • that the JSON file has symbols which point to the wrong locations and so is throwing off volatility's ability to determine where certain structures are in memory
  • that it's misdetected the location of the kernel and/or one of the ASLR shifts required to make them all match up.

Unfortunately, it's not clear how to figure out which of those issues is the problem. Might be one for @atcuno to help diagnose?

Volatility was unable to read a requested page:
0x13b3bf000 in layer memory_layer (Offset outside of the buffer boundaries)

@ghost
Copy link
Author

ghost commented Oct 26, 2021

I used the same method for centos7 and found the following error

Level 8 volatility3.framework.automagic.symbol_cache: Caching file jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/centos7.3.10.json.xz failed due to JSON error
Level 8 volatility3.framework.automagic.symbol_cache: Caching file jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/centos7-3.10.json.xz failed due to JSON error
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0

@ikelos
Copy link
Member

ikelos commented Oct 27, 2021

Thanks, would you be able to attach either of centos7.3.10.json.xz or centos7-3.10.json.xz so we can take a look at what's going on. That looks like a separate issue, rather than something related this one...

@ghost
Copy link
Author

ghost commented Oct 27, 2021

I found that I didn't have enough memory, so I didn't complete "Symbols". But there are still problems with centos7.
(base) [root@localhost volatility3]# python vol.py -vvvvvv -f CentOS7-1160.vmem linux.pslist.PsList
Volatility 3 Framework 2.0.0
INFO volatility3.cli: Volatility plugins path: ['/root/dwarf2json/volatility3/volatility3/plugins', '/root/dwarf2json/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/root/dwarf2json/volatility3/volatility3/symbols', '/root/dwarf2json/volatility3/volatility3/framework/symbols']
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/plugins, /root/dwarf2json/volatility3/volatility3/framework/plugins
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/automagic
Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3
INFO volatility3.framework.automagic: Detected a linux category plugin
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /root/dwarf2json/volatility3/volatility3/symbols, /root/dwarf2json/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 3.10.0-1160.31.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Thu Jun 10 13:32:12 UTC 2021\n\x00'
DEBUG volatility3.schemas: Validating JSON against schema...
DEBUG volatility3.schemas: JSON validated against schema (result cached)
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!slab
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!css_id
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sock_fprog_kern
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_ct_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_exp_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nft_af_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dn_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!forwarding_accel_ops
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!wpan_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sysfs_dirent
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dn_route
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ip_vs_sync_buff
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tcp_states_t
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_tstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!res_counter
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nfs4_lock_state
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nlm_lockowner
DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 4777f000 virtual 0
DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x4938f000
Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 3.10.0-1160.31.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Thu Jun 10 13:32:12 UTC 2021\n\x00'
DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/Centos7.1061.json.xz
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel

PID PPID COMM
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!slab
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!css_id
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sock_fprog_kern
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_ct_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_exp_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nft_af_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dn_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!forwarding_accel_ops
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wpan_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sysfs_dirent
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dn_route
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ip_vs_sync_buff
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tcp_states_t
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_tstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!res_counter
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nfs4_lock_state
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nlm_lockowner

Symbols.zip

@ikelos
Copy link
Member

ikelos commented Oct 27, 2021

Well, it's correctly identifying the symbols, so it could be that the ASLR shift is coming out wrong, but again, I think this is into territory best covered by @atcuno at this point...

@atcuno
Copy link
Contributor

atcuno commented Mar 15, 2022

@ninja2017 can you share the memory samples from this issue? Also, I see that you have a .vmem extension. Is this from a VMware snapshot or suspended state? If so, is the accompanying .vmss file in the directory?

@ikelos
Copy link
Member

ikelos commented Mar 16, 2022

@atcuno We now log whether a VMSS/VMSN was present, neither was there with this image:

Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)

@github-actions
Copy link

This issue is stale because it has been open for 200 days with no activity.

@github-actions github-actions bot added the stale label Oct 21, 2023
@github-actions GitHub Actions
Copy link

This issue was closed because it has been inactive for 60 days since being marked as stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atcuno atcuno

Labels
needs-more-info stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atcuno @ikelos