analysis virtualbox memory dump problem

[b1gcat]

Hi sir, I dump virtualbox linux memory to do some analysis. but I encounter some problems:

Step1. In virtualbox debug mode, I save memory to linux.raw

.pgmphystofile                             Save the physical memory to file.

Step2. Try vol3

vol -f linux.raw -vvv linux.psaux.PsAux

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/plugins', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/symbols', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name

Unsatisfied requirement plugins.PsAux.kernel.layer_name:
Unsatisfied requirement plugins.PsAux.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
    A file was provided to create this layer (by -f, --single-location or by config)
    The file exists and is readable
    The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
    The associated translation layer requirement was fulfilled
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsAux.kernel.layer_name', 'plugins.PsAux.kernel.symbol_table_name']

As it says, I miss something(symbol or ...) , so where I can generate the symbols .

thanks. For your information.

[eve-mem]

Hi @b1gcat

You can make your own ISF using dwarf2json, it's explained here: https://volatility3.readthedocs.io/en/latest/symbol-tables.html

However if its a common version of linux (Ubuntu etc) you might find that @Abyss-W4tcher has already generated one that'll work here: https://github.com/Abyss-W4tcher/volatility3-symbols

Good luck! For community support you might also like the slack channel: https://www.volatilityfoundation.org/slack

[b1gcat]

@eve-mem thanks.

I try dwarf2json to the kernel

dwarf2json linux --elf linux.elf
Failed linux processing: could not open linux.elf: bad magic number '[83 255 0 240]' in record at byte 0x0

Maybe it's not a debug kernel? Also there is no system.map . By the way I have no right to recompile anything.

I got the banners information to find symbols in https://github.com/Abyss-W4tcher/volatility3-symbols/blob/master/Debian/amd64/6.3.0/0/Debian_6.3.0-0-amd64_6.3.1-1~exp1_amd64.json.xz

Volatility 3 Framework 2.5.0
Progress:  100.00       PDB scanning finished
Offset  Banner

0x32000c0   Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed 
0x38bb1ac   Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed
0x3e5246c8  Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed

got :

 ✘ b1gcat@b1gcat  sym  vol -f ~/Desktop/linux.elf -vvv -s ~/Downloads/sym/ linux.psaux.PsAux
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/plugins', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/Users/b1gcat/Downloads/sym', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/symbols', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
**_DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched_**
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name

Unsatisfied requirement plugins.PsAux.kernel.layer_name:
Unsatisfied requirement plugins.PsAux.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
    A file was provided to create this layer (by -f, --single-location or by config)
    The file exists and is readable
    The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
    The associated translation layer requirement was fulfilled
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsAux.kernel.layer_name', 'plugins.PsAux.kernel.symbol_table_name']

Is there any suggestion to generate the symbols?

[Abyss-W4tcher]

@eve-mem thanks.

I try dwarf2json to the kernel

dwarf2json linux --elf linux.elf
Failed linux processing: could not open linux.elf: bad magic number '[83 255 0 240]' in record at byte 0x0

Maybe it's not a debug kernel? Also there is no system.map . By the way I have no right to recompile anything.

I got the banners information to find symbols in https://github.com/Abyss-W4tcher/volatility3-symbols/blob/master/Debian/amd64/6.3.0/0/Debian_6.3.0-0-amd64_6.3.1-1~exp1_amd64.json.xz

Volatility 3 Framework 2.5.0
Progress:  100.00     PDB scanning finished
Offset    Banner

0x32000c0 Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed 
0x38bb1ac Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed
0x3e5246c8    Linux version 4.9.144 (root@debian) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Wed

got :

 ✘ b1gcat@b1gcat  sym  vol -f ~/Desktop/linux.elf -vvv -s ~/Downloads/sym/ linux.psaux.PsAux
Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/plugins', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/Users/b1gcat/Downloads/sym', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/symbols', '/usr/local/Cellar/volatility/2.5.0/libexec/lib/python3.11/site-packages/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsAux
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
**_DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched_**
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsAux.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsAux.kernel.symbol_table_name

Unsatisfied requirement plugins.PsAux.kernel.layer_name:
Unsatisfied requirement plugins.PsAux.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
  A file was provided to create this layer (by -f, --single-location or by config)
  The file exists and is readable
  The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
  The associated translation layer requirement was fulfilled
  You have the correct symbol file for the requirement
  The symbol file is under the correct directory or zip file
  The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsAux.kernel.layer_name', 'plugins.PsAux.kernel.symbol_table_name']

Is there any suggestion to generate the symbols?

Hello, I allow myself to answer your question. The symbol you have chosen from the repository isn't the right one, I think you chose based on the 6.3.0 Debian version of the Linux banner. Instead, you should always check for the Linux version X.Y.Z part + the specific kernel version at the end of the Linux banner.

You can find the banner easily here, with a CTRL+F : https://github.com/Abyss-W4tcher/volatility3-symbols/blob/master/banners/banners_plain.json .

Finally, I suggest that there is a small problem on the banner provided by the Volatility3 plugin banners, as version 4.9.144 doesn't exist in this format, but should instead look like :

Linux version 4.9.0-8-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.144-1 (2018-12-30). If you are curious, more info here on the kernel numbering scheme : https://unix.stackexchange.com/questions/509247/debian-linux-kernel-versioning.

If you have access to the VM, try running uname -a and provide us with the output :)

[b1gcat]

@eve-mem thanks. I try dwarf2json to the kernel

Thanks， I got it.

By the way i cannot login the vm , as the kernel has some protections(disk encryption, single mode not work ). I guess it's a custormer kernel , I try the following jsons , but all of them failed.

Debian_4.9.0-8-amd64_4.9.144-1_amd64.json.xz    Debian_4.9.0-8-amd64_4.9.144-3.1_amd64.json.xz
Debian_4.9.0-8-amd64_4.9.144-2_amd64.json.xz    Debian_4.9.0-8-amd64_4.9.144-3_amd64.json.xz

well, i am thinking ...

anyway, thank you very much!

[eve-mem]

If it really is a kernel that's been complied manually rather than from Debian, and no debugging symbols are available then getting it work is a lot more involved unfortunately.

It's worth double checking that the outputs of isfinfo and banners have different output, just to rule out other problems, but as @Abyss-W4tcher points out - it looks like the format you're seeing is different to what's expected for Debian.

[github-actions[bot]]

This issue is stale because it has been open for 200 days with no activity.