PYPANDA: UnsatisfiedException with Volatility 3

[windhl]

Hi, everyone, After I solve lots of dependencies and when I try capture_library.py in example directory, I get the ERROR traceback ( I install volatility3, is it too new?)

File "/usr/local/lib/python3.6/dist-packages/panda/callback_mixins.py", line 47, in _run_and_catch r = fun(*args, **kwargs) File "../capture_library.py", line 120, in bbe information = location(cr3,eip) File "../capture_library.py", line 101, in location vmlinux = panda.get_volatility_symbols() File "/usr/local/lib/python3.6/dist-packages/panda/volatility_mixins.py", line 92, in get_volatility_symbols constructed_original = CommandLineMoreEfficient().run() File "/usr/local/lib/python3.6/dist-packages/panda/volatility_cli_classes.py", line 119, in run ctx, automagics, plugin, base_config_path, MuteProgress(), self) File "/usr/local/lib/python3.6/dist-packages/volatility-1.1.0b1-py3.6.egg/volatility/framework/plugins/init.py", line 49, in construct_plugin raise exceptions.UnsatisfiedException(unsatisfied) volatility.framework.exceptions.UnsatisfiedException

Thanks for help!

[windhl]

In ../panda/python/core/panda/volatility_cli_classes.py, there is the version require: volatility.framework.require_interface_version(1, 0, 0) And I find the version installed on my pc is 1.1.0b1, the version is too new ?

[windhl]

Here is the loginfo:

INFO volatility.framework.automagic: Detected a linux category plugin INFO volatility.framework.automagic: Running automagic: ConstructionMagic INFO volatility.framework.automagic: Running automagic: LinuxBannerCache INFO volatility.framework.automagic.symbol_cache: Building linux caches... INFO volatility.framework.automagic: Running automagic: LayerStacker DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic INFO volatility.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer'] INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder

[lacraig2]

Hi @windhl!

Volatility 3 isn't officially supported here because volatility 3 has not officially been released.

I worked on this a few months ago so it's quite possible that the new version is incompatible once again. This is just because things change a lot in pre-released software.

Having said that your error actually isn't in the PANDA side, but on the volatility3 side! You don't have linux symbols.

You need to generate a symbol configuration for your system. You should use the dwarf2json project. The trouble with this is getting a debug kernel to pull symbols out of. https://github.com/volatilityfoundation/volatility3#symbol-tables

Alternatively, you can grab one of the couple thousand that I generated for ubuntu if that matches your machine. https://panda-re.mit.edu/volatility3_profiles/

[windhl]

Thank you for your answer! @lacraig2 I understand the reason and I will try it later when the website (https://panda-re.mit.edu/volatility3_profiles/) you prodived is alive again, now it is blocked by some reasons. : (

Maybe I will try by myself to get the symbol with dwarf2json. Thanks again! 👍

[lacraig2]

@windhl Sorry about that. Seems to be some sort of networking mishap we (MIT) have been dealing with.

The profiles on there are all Ubuntu images for x86 and x86_64 for reasonably recent versions.

I'm happy to answer your questions though the volatility community is pretty great and far more qualified. They have a slack community with a channel to help with questions specifically for volatility 3.

[windhl]

@lacraig2 OK, I get it. Thanks again and let's move on to enjoy these greate works.