search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 463 forks source link

Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected. #1090

Closed nathan-out closed 3 weeks ago

nathan-out commented 10 months ago

Vol3 is not able to use custom symbol file from a custom linux kernel when I try to run linux.pstree : 

Volatility 3 Framework 2.5.0
Progress:  100.00               Stacking attempts finished
Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']

Context Volatility Version: 2.5.0 Operating System: WSL (5.15.133.1-microsoft-standard-WSL2) Python Version: 3.10 Suspected Operating System: custom Linux kernel v5.0.0 (compiled with debugging symbols)

ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=c3be7ce373992ef38335c490ef2dc362168d0d23, with debug_info, not stripped

Command: python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw linux.pstree

To Reproduce Steps to reproduce the behavior:

  1. Generate symbol files with ./dwarf2json --elf vmlinux --system-map System.map > output.json
  2. Copy output.json into volatility3/symbols/linux/output.json
  3. Run python3 volatility3-2.5.0/volatility3-2.5.0/vol.py isfinfo 
    
Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information
file:///mnt/d/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json Unknown 16 5829 83679 863 b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024' ``` 4. Run `python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw banners` ``` Volatility 3 Framework 2.5.0 Progress: 100.00 PDB scanning finished Offset Banner 0x1a00080 Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024 0x222b6c0 Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024 ``` 5. Run `python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw linux.pstree`, then the error described above appears. **Expected behavior** Volatility will run as expected. **Example output** ``` INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan INFO volatility3.framework.automagic: Detected a linux category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024' INFO volatility3.schemas: Dependency for validation unavailable: jsonschema DEBUG volatility3.schemas: All validations will report success, even with malformed input Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer'] INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name INFO volatility3.framework.automagic: Running automagic: KernelModule Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name Unsatisfied requirement plugins.PsTree.kernel.layer_name: Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name: A translation layer requirement was not fulfilled. Please verify that: A file was provided to create this layer (by -f, --single-location or by config) The file exists and is readable The file is a valid memory image and was acquired cleanly A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name'] ``` Here are some extracts from the `output.json` : ``` { "metadata": { "linux": { "symbols": [ { "kind": "dwarf", "name": "vmlinux", "hash_type": "sha256", "hash_value": "95957f7c3a0f5e2f5215b1fbf41b24ea4a9ece292584364c8ad18ffdfa10a22a" }, { "kind": "symtab", "name": "vmlinux", "hash_type": "sha256", "hash_value": "95957f7c3a0f5e2f5215b1fbf41b24ea4a9ece292584364c8ad18ffdfa10a22a" } ], "types": [ { "kind": "dwarf", "name": "vmlinux", "hash_type": "sha256", "hash_value": "95957f7c3a0f5e2f5215b1fbf41b24ea4a9ece292584364c8ad18ffdfa10a22a" } ] }, "producer": { "name": "dwarf2json", "version": "0.7.0" }, "format": "6.2.0" }, ... "linux_banner": { "type": { "count": 0, "kind": "array", "subtype": { "kind": "base", "name": "char" } }, "address": 18446744071589331072, "constant_data": "TGludXggdmVyc2lvbiA1LjAuMCAoYWlnbGVAYWlnbGUpIChnY2MgdmVyc2lvbiA5LjQuMCAoVWJ1bnR1IDkuNC4wLTF1YnVudHUxfjIwLjA0LjEpKSAjMyBGcmkgSmFuIDE5IDE0OjA5OjQ5IENFVCAyMDI0" } ... ```
eve-mem commented 10 months ago

Hi, it looks like you've done everything correctly that i can see, but vol can't work out the intel layer. When you made that memory sample - what tool did you use?

Is it only pstree that doesn't work? I'd assume pslist etc also don't work?

nathan-out commented 10 months ago

Hi, thanks for your fast response!

The dump is made using the qemu monitor command pmemsave 0 0x20000000 dump.raw.

pslist, bash, pstree and sockstat provides the same error.

Abyss-W4tcher commented 10 months ago

Hi, thanks for your fast response!

The dump is made using the qemu monitor command pmemsave 0 0x20000000 dump.raw.

pslist, bash, pstree and sockstat provides the same error.

Hello @nathan-out, may I suggest trying the qemu command dump-guest-memory instead ?

eve-mem commented 9 months ago

Any luck @nathan-out ?

nathan-out commented 9 months ago

Hello I’m currently very busy I will continue my investigation next week sorry for the delay

eve-mem commented 9 months ago

No worries at all, just shout if you get any more problems.

nathan-out commented 9 months ago

@Abyss-W4tcher I have both kernel.elf made with dump-guest-memory and kernel.raw with the first command. In both case, volatility doesn't work

Abyss-W4tcher commented 9 months ago

Could you try running with -vvvvvvvvvvv, to see if we get more informations ?

nathan-out commented 9 months ago

Here is the output, volatility was run on dump.raw file.

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
DEBUG    volatility3.schemas: Validating JSON against schema...
DEBUG    volatility3.schemas: JSON validated against schema (result cached)
Level 7  volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: inet_sock
Level 6  volatility3.framework.automagic.stacker: Traceback (most recent call last):

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\stacker.py", line 213, in stack_layer
    new_layer = stacker.stack(context, initial_layer, progress_callback)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\linux.py", line 72, in stack
    table = linux.LinuxKernelIntermedSymbols(

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\linux\__init__.py", line 47, in __init__
    self.set_type_class("inet_sock", extensions.inet_sock)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 60, in _delegate_function
    return getattr(self._delegate, name)(*args, **kwargs)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 425, in set_type_class
    raise ValueError(f"Symbol type not in {self.name} SymbolTable: {name}")

ValueError: Symbol type not in LintelStacker1 SymbolTable: inet_sock

Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name

Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']
Abyss-W4tcher commented 9 months ago

Relevant part seems to be : 

Level 7  volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: inet_sock

The symbol type might be missing. Can you please try to generate another ISF, by omitting the System.map file : 

./dwarf2json --elf vmlinux  > output.json

Temporarily move out your existing ISF from the Volatility3 symbols directory, and run Volatility3 with --clear-cache to avoid conflicts.

nathan-out commented 9 months ago

Here it is: 

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mft.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/tcpip.pdb/942CC690894B8899CD5B8607C72A62EA-1.json.xz as b'tcpip.pdb|942CC690894B8899CD5B8607C72A62EA|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kerb_ecrypt.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18362-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-16299-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz as b'ntkrnlmp.pdb|CA8E2F01B822EDE6357898BFBF862997|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pe.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-2003-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/xen.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/generic/qemu.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18363-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pdb.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mbr.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/elf.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json as b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #5 Thu Jan 25 19:03:11 CET 2024\n\x00'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/registry.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-19935-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash_common.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz as b'ntkrnlmp.pdb|68A17FAF3012B7846079AEECDBE0A583|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10240-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10586-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17763-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash32.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-sp12-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-14393-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64-win7.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kdbg.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/F9F3101286B6467CDE2D6C8304D7F43C-1.json.xz as b'ntkrnlmp.pdb|F9F3101286B6467CDE2D6C8304D7F43C|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x86.json
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name

Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']
Abyss-W4tcher commented 9 months ago

Ok, this did not solve the issue. The raised error comes from here https://github.com/volatilityfoundation/volatility3/blob/795477e24b666eea7d5f40e5f4dc92f3656f558f/volatility3/framework/symbols/linux/__init__.py#L48 I think.

The problem might come from the vmlinux not containing the correct things, although inet_sock wasn't renamed/removed in the Linux source tree. This is probably related to the custom kernel, is the source from a non-stable Ubuntu branch ?

nathan-out commented 9 months ago

The kernel creator will answer your question and join the issue.

aiglematth commented 9 months ago

Hi !

I am the kernel builder : this kernel is not an ubuntu release, but a linux kernel build in minimal mode, so I deactivated the network. It is why the inet_sock symbol is not present. Is there any way to do without this symbol ? As this symbol is only useful for some functionalities related to the network.

Abyss-W4tcher commented 9 months ago

Hi @aiglematth, you can try patching the Volatility installation here with : 

self.optional_set_type_class("inet_sock", extensions.inet_sock)

See https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/linux/__init__.py#L51 for reference.

eve-mem commented 9 months ago

Just a small note - It may be obvious - but without inet_sock some plugins won't work e.g. sockstat. It could probably be patched if things like unix sockets were still there and you needed to analyze them.

nathan-out commented 9 months ago

I still have the same issue:

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsTree
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-sp12-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17763-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64-win7.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash32.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18362-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/registry.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10240-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/F9F3101286B6467CDE2D6C8304D7F43C-1.json.xz as b'ntkrnlmp.pdb|F9F3101286B6467CDE2D6C8304D7F43C|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18363-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mbr.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-14393-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pdb.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz as b'ntkrnlmp.pdb|CA8E2F01B822EDE6357898BFBF862997|1'
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-19935-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kerb_ecrypt.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json as b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #5 Thu Jan 25 19:03:11 CET 2024\n\x00'
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz as b'ntkrnlmp.pdb|68A17FAF3012B7846079AEECDBE0A583|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10586-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash_common.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/elf.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pe.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kdbg.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/tcpip.pdb/942CC690894B8899CD5B8607C72A62EA-1.json.xz as b'tcpip.pdb|942CC690894B8899CD5B8607C72A62EA|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/xen.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mft.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-2003-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/generic/qemu.json
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsTree.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsTree.kernel.symbol_table_name

Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']

Here is the code I patched:

self.optional_set_type_class("inet_sock", extensions.inet_sock)
self.optional_set_type_class("vsock_sock", extensions.vsock_sock)
self.optional_set_type_class("packet_sock", extensions.packet_sock)
self.optional_set_type_class("bt_sock", extensions.bt_sock)
self.optional_set_type_class("xdp_sock", extensions.xdp_sock)

I also tried to comment all these lines, it's still not working.

With @aiglematth we tried to build a vol2 profile, but any plugin seems to works.

It seems aiglemath have to build a correct Linux kernel (according to Vol). Or, Vol should parse all the optionnary modules before starting.

Abyss-W4tcher commented 9 months ago

You now have : 

DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched

Is the correct symbol file still present inside Volatility3 Linux symbols directory ?

You can compare banners and isfinfo plugin, like you did in your first comment.

nathan-out commented 9 months ago

There is additionnal char at the end of isfinfo (\n\x00)?

Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json      True (cached)   16      5829    83679   863     b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #5 Thu Jan 25 19:03:11 CET 2024\n\x00'

For banners:

Volatility 3 Framework 2.5.0
banners.Banners
Progress:  100.00               PDB scanning finished
Offset  Banner

0x1a00080       Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024
0x222b6c0       Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024

Does the exactly same timestamp is required?

ikelos commented 9 months ago

Yes, the whole string must match exactly, no parsing of the version occurs.

Abyss-W4tcher commented 9 months ago

Those different timestamps indicate you are analyzing a sample from an older kernel. Each time a kernel is compiled, even if the source is the same, small differences might occur in produced debug symbols.

You may have created an ISF against a "newer" version of this kernel. If I check your first comment, you should have the correct ISF somewhere though ? 

Volatility 3 Framework 2.5.0
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

<some windows symbol files>
file:///mnt/d/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json   Unknown 16      5829    83679   863     b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
nathan-out commented 9 months ago

Banners and isfinfo fixed manually. Patching with the code above produce this error:

Volatility 3 Framework 2.5.0
INFO     volatility3.cli: Volatility plugins path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\plugins', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\symbols', 'D:\\Tools\\volatility3-2.5.0\\volatility3-2.5.0\\volatility3\\framework\\symbols']
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\plugins, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\plugins
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic
Level 7  volatility3.cli: Cache directory used: C:\Users\sieur\AppData\Roaming\volatility3
linux.pslist.PsList
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\symbols, D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/ADC00FA5FC34456BA16E268745724099-1.json.xz as b'ntkrnlmp.pdb|ADC00FA5FC34456BA16E268745724099|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pe.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/registry.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17763-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash_common.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz as b'ntkrnlmp.pdb|CA8E2F01B822EDE6357898BFBF862997|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-2003-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-14393-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-16299-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/elf.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win8-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-17134-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18363-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kerb_ecrypt.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/generic/qemu.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-sp12-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-18362-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/linux/output.json as b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/callbacks-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10240-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/kdbg.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A583-1.json.xz as b'ntkrnlmp.pdb|68A17FAF3012B7846079AEECDBE0A583|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-x64.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/ntkrnlmp.pdb/F9F3101286B6467CDE2D6C8304D7F43C-1.json.xz as b'ntkrnlmp.pdb|F9F3101286B6467CDE2D6C8304D7F43C|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/pdb.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/bash32.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win10-16299-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/linux/xen.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-19041-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-15063-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64-win7.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-vista-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-xp-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win81-19935-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mbr.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win7-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/mft.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/bigpools/bigpools-win10-x86.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-10586-x86.json
Level 8  volatility3.framework.automagic.symbol_cache: Identified file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/symbols/windows/tcpip.pdb/942CC690894B8899CD5B8607C72A62EA-1.json.xz as b'tcpip.pdb|942CC690894B8899CD5B8607C72A62EA|1'
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/services/services-win8-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/netscan/netscan-win10-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/poolheader-x64.json
Level 6  volatility3.framework.automagic.symbol_cache: No identifier found for file:///D:/Tools/volatility3-2.5.0/volatility3-2.5.0/volatility3/framework/symbols/windows/crash.json
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.0.0 (aigle@aigle) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #3 Fri Jan 19 14:09:49 CET 2024'
Level 7  volatility3.framework.automagic.stacker: Exception during stacking: Symbol type not in LintelStacker1 SymbolTable: inet_sock
Level 6  volatility3.framework.automagic.stacker: Traceback (most recent call last):

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\stacker.py", line 213, in stack_layer
    new_layer = stacker.stack(context, initial_layer, progress_callback)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\automagic\linux.py", line 72, in stack
    table = linux.LinuxKernelIntermedSymbols(

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\linux\__init__.py", line 47, in __init__
    self.set_type_class("inet_sock", extensions.inet_sock)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 60, in _delegate_function
    return getattr(self._delegate, name)(*args, **kwargs)

  File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\intermed.py", line 425, in set_type_class
    raise ValueError(f"Symbol type not in {self.name} SymbolTable: {name}")

ValueError: Symbol type not in LintelStacker1 SymbolTable: inet_sock

Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']
Abyss-W4tcher commented 9 months ago

This shouldn't crash, as optional_set_type_class is supposed to catch this error and ignore it.

You have the following patch, if I'm not mistaken ?

diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py
index c4e2587f..adf855a5 100644
--- a/volatility3/framework/symbols/linux/__init__.py
+++ b/volatility3/framework/symbols/linux/__init__.py
@@ -45,7 +45,7 @@ class LinuxKernelIntermedSymbols(intermed.IntermediateSymbolTable):
         self.set_type_class("net", extensions.net)
         self.set_type_class("socket", extensions.socket)
         self.set_type_class("sock", extensions.sock)
-        self.set_type_class("inet_sock", extensions.inet_sock)
+        self.optional_set_type_class("inet_sock", extensions.inet_sock)
         self.set_type_class("unix_sock", extensions.unix_sock)
         # Might not exist in older kernels or the current symbols
         self.optional_set_type_class("netlink_sock", extensions.netlink_sock)

edit: from what I can see : 

 File "D:\Tools\volatility3-2.5.0\volatility3-2.5.0\volatility3\framework\symbols\linux\__init__.py", line 47, in __init__
    self.set_type_class("inet_sock", extensions.inet_sock)

There seems to be something off ?

ikelos commented 9 months ago

I don't know when that patch made it in, but it might be worth updating to the lastest development snapshot rather than 2.5.0?

Abyss-W4tcher commented 9 months ago

This is a custom patch, suiting their need for a sample from a Linux kernel without network capabilities. It should rightfully ignore the missing symbol error, as they will most likely not need it in their analysis.

nathan-out commented 9 months ago

@Abyss-W4tcher Ok you were right it works now!

I had to fix another line. To fix the issue you have to:

As future users with the same problem won't read all the messages, I'll summarize the problem. The problem stems from the Volatility assumption that a kernel must have a network module. This was wrong here, as the kernel was really very small. So vol raises an error. To solve this problem, vol needs to be told that the network module is optional.

I have several questions regarding this issue. Why this assumption? If it's possible, perhaps Vol should first check the modules built into the kernel and not trigger a fatal error?

Thanks all for your help, I really appreciated :D

github-actions[bot] commented 2 months ago

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] commented 3 weeks ago

This issue was closed because it has been inactive for 60 days since being marked as stale.