Open ajmeese7 opened 2 years ago
digitalisx
commented
2 years ago Hello, @ajmeese7
In this situation, it seems necessary to try another command again.
Memory dumps appear to have been dumped on Linux, but attempting to query the Windows process list.
Could you try linux.pslist command?
ajmeese7
commented
2 years ago Same issue with the linux command, unfortunately. If it helps, this is the JSON file that was generated with dwarf2json:
ikelos
commented
2 years ago Hiya, would it be possible to get the output with -vvvv now that you're trying a linux plugin please? It will help us diagnose whether the automagic is finding the linux banner or not.
ikelos
commented
2 years ago Please also note that just the System.map is usually not enough to create the structures for the kernel (which volatility needs to know to understand how everything's laid out). It looks as though you only used the system map, without also providing the debug kernel, so volatility could find the actual symbol structures, not just their offsets. There is more detailed documentation over on the dwarf2json site...
ajmeese7
commented
2 years ago Linux command logs:
$ python3 vol.py -f /home/aaron/Downloads/HTB/forensics_poof/mem.dmp -vvvv linux.pslist.PsList
Volatility 3 Framework 2.4.0
INFO volatility3.cli: Volatility plugins path: ['/home/aaron/Documents/CYBER/volatility3/volatility3/plugins', '/home/aaron/Documents/CYBER/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/aaron/Documents/CYBER/volatility3/volatility3/symbols', '/home/aaron/Documents/CYBER/volatility3/volatility3/framework/symbols']
INFO volatility3.framework.automagic: Detected a linux category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8 volatility3.framework.automagic.stacker: Stacked Elf64Layer using Elf64Stacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
INFO volatility3.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture:Elf64Layer
Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture:FileLayer
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['Elf64Layer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']The dwarf2json documentation is unclear on what to do, I have the module.dwarf file and the System.map-4.15.0-184-generic file but there is no guidance on how to actually use a .dwarf file.
ikelos
commented
2 years ago I've moved this to the dwarf2json project, because it doesn't seem to be a voliatlity issue. If the module.dwarf file is an ELF (as reported by file module.dwarf) then you should just be able to pass it in as dwarf2json linux --elf module.dwarf --system-map System.map-4.15.0-184-generic. If it's not an ELF file, then you'll likely have to convert it, and the people here should know the commands for doing so (and can correct me if I'd gotten something wrong) 5;)
ilch1
commented
2 years ago Creating an ISF using a module.ko is currently prototyped in linux-module-method branch. That branch has documentation for how to do so.
It looks like the module.dwarf.txt that was uploaded in this issue is an ASCII file (not ELF):
$ file module.dwarf.txt
module.dwarf.txt: ASCII text, with very long lines (978)That will not work with dwarf2json.
Describe the bug
Similar to volatilityfoundation/volatility3#634, I am getting the following error message (with logs for context):
Context Volatility Version: Latest Operating System: ZorinOS 16 Pro Python Version: 3.9.12 Suspected Operating System: Ubuntu 4.15.0-184 Command:
python3 vol.py -f /home/aaron/Downloads/HTB/forensics_poof/mem.dmp -vvvv windows.pslist.PsListTo Reproduce
I tried generating a JSON file with
./dwarf2json linux --system-map ./System.map-4.15.0-184-generic > System.map-4.15.0-184-generic.jsonand copiedSystem.map-4.15.0-184-generic.json,System.map-4.15.0-184-generic, andmodule.dwarfto both/volatility3/volatility3/symbolsand/volatility3/volatility3/framework/symbols/linuxto cover all my bases. Doing so yielded the error message above.Both of these files had a
.txtextension added so they could be uploaded to GitHub, on my system they do not have the extension.System.map-4.15.0-184-generic.txt module.dwarf.txt
Expected behavior
I expect the symbols to be detected and to allow me to perform an analysis of the memory dump.
Additional information
I know the
mem.dmpfile is formatted correctly and I know the System Map and Dwarf files are good, they were all provided by Hack The Box and others have been able to solve this challenge. I'm not sure if there is some incompatibility with Zorin or if I'm just making some silly mistake, but any support that you could provide would be greatly appreciated :)