search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.62k stars 449 forks source link

Error outputting file when attempting to `--dump` processes in `linux.pslist` #1124

Closed yassine955 closed 6 months ago

yassine955 commented 6 months ago

When using --pid I see the following process:

Volatility 3 Framework 2.7.0
Formatting...0.00       Stacking attempts finished                 
  |     OFFSET (V) |  PID |  TID | PPID |            COMM | File output
* | 0x8d2b884ab780 | 6931 | 6931 |  352 | nssion.notebook |    Disabled

Under the column File output it mentions Disabled

And when I dump, by using --dump:

Volatility 3 Framework 2.7.0
Formatting...0.00       Stacking attempts finished                 
  |     OFFSET (V) |  PID |  TID | PPID |            COMM |           File output
* | 0x8d2b884ab780 | 6931 | 6931 |  352 | nssion.notebook | Error outputting file

This is the output:

~/Desktop/memory-analyse/volatility3$ python3 vol.py -vvvvvvv -r pretty -f /home/yassine/Desktop/memory-analyse/avml/dump_2024-04-05_19-51/avml_dump.lime linux.pslist --pid 6931 --decorate-comm --dump
Volatility 3 Framework 2.7.0
INFO     volatility3.cli: Volatility plugins path: ['/home/yassine/Desktop/memory-analyse/volatility3/volatility3/plugins', '/home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols', '/home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/symbols']
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/plugins, /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/plugins
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/automagic
DETAIL 3 volatility3.cli: Cache directory used: /home/yassine/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols, /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler, S3FileSystemHandler, GSFileSystemHandler
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x4c694d45 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 5.10.209-android12-9-g36e3dadee0c3-dirty (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Mon Apr 1 16:07:18 UTC 2024\n\x00': file:///home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols/linux/android12-5.10.json and file:///home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols/linux/pixel12.json
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.10.209-android12-9-g36e3dadee0c3-dirty (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Mon Apr 1 16:07:18 UTC 2024\n\x00'
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!dev_iommu
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG    volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 7c000000 virtual 14800000
DEBUG    volatility3.framework.automagic.linux: DTB was found at: 0x7ee0c000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer.base_layer
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/layers
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 2146902078
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder  
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 5.10.209-android12-9-g36e3dadee0c3-dirty (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Mon Apr 1 16:07:18 UTC 2024\n\x00': file:///home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols/linux/android12-5.10.json and file:///home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols/linux/pixel12.json
DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.10.209-android12-9-g36e3dadee0c3-dirty (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Mon Apr 1 16:07:18 UTC 2024\n\x00'
DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols/linux/android12-5.10.json
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
INFO     volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 3 volatility3.cli.text_filter: Filters:
[]
Formatting...
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dev_iommu
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols, /home/yassine/Desktop/memory-analyse/volatility3/volatility3/framework/symbols
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
  |     OFFSET (V) |  PID |  TID | PPID |            COMM |           File output
* | 0x8d2b884ab780 | 6931 | 6931 |  352 | nssion.notebook | Error outputting file
ikelos commented 6 months ago

My guess would be that the default output directory isn't writable. Can you please ensure you pass in --output-dir followed by a directory that you're certain can be written to?

yassine955 commented 6 months ago

Same problem. I believe that without --dump the DISABLED value is messing this up

ikelos commented 6 months ago

The disabled message appears when you haven't requested that the files be dumped. It's to ensure that programmatic access to the plugins doesn't have to cope with changing columns, and that humans can easily understand what disabled means.

It looks from the code as though the "Error outputting file" can be returned when iterating through the get_vma_iter of the task, but there's no match for the start_code value to show where the code begins. This isn't ideal on our part, because the error message isn't all that informative. I've tried to improve the debugging output when dumping ELF files. Please could you try commit c1f239b8 running with -vvvvvvv before the linux.pslist and --dump after the plugin name?

yassine955 commented 6 months ago 
OFFSET (V)  PID TID PPID    COMM    File output
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dev_iommu
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/yassine/Desktop/ram-analyse/volatility3/volatility3/symbols, /home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/symbols

DEBUG    volatility3.cli: Traceback (most recent call last):
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/cli/__init__.py", line 469, in run
    renderer.render(grid)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/cli/text_renderer.py", line 198, in render
    grid.populate(visitor, outfd)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/renderers/__init__.py", line 245, in populate
    for level, item in self._generator:
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/plugins/linux/pslist.py", line 176, in _generator
    file_output = self._get_file_output(task)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/plugins/linux/pslist.py", line 132, in _get_file_output
    if v.vm_start == task.mm.start_code:
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/objects/__init__.py", line 453, in __getattr__
    return getattr(self.dereference(), attr)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/objects/__init__.py", line 963, in __getattr__
    member = template(context=self._context, object_info=object_info)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/objects/templates.py", line 96, in __call__
    return self.vol.object_class(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/objects/__init__.py", line 168, in __new__
    value = cls._unmarshall(context, data_format, object_info)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/objects/__init__.py", line 202, in _unmarshall
    data = context.layers.read(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read
    return self[layer].read(offset, length, pad)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/linear.py", line 45, in read
    for offset, _, mapped_offset, mapped_length, layer in self.mapping(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/intel.py", line 295, in mapping
    for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/intel.py", line 351, in _mapping
    chunk_offset, page_size, layer_name = self._translate(offset)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/intel.py", line 155, in _translate
    entry, position = self._translate_entry(offset)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/intel.py", line 221, in _translate_entry
    table = self._get_valid_table(base_address)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/intel.py", line 256, in _get_valid_table
    table = self._context.layers.read(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read
    return self[layer].read(offset, length, pad)
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/linear.py", line 45, in read
    for offset, _, mapped_offset, mapped_length, layer in self.mapping(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/segmented.py", line 180, in mapping
    for offset, length, mapped_offset, mapped_length, layer in super().mapping(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/segmented.py", line 103, in mapping
    logical_offset, mapped_offset, size, mapped_size = self._find_segment(
  File "/home/yassine/Desktop/ram-analyse/volatility3/volatility3/framework/layers/segmented.py", line 85, in _find_segment
    raise exceptions.InvalidAddressException(
volatility3.framework.exceptions.InvalidAddressException: Invalid address at 17fffffff

Volatility was unable to read a requested page:
0x17fffffff in layer memory_layer (Invalid address at 17fffffff)

    * The base memory file being incomplete (try re-acquiring if possible)
    * Memory smear during acquisition (try re-acquiring if possible)
    * An intentionally invalid page lookup (operating system protection)
    * A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced
yassine955 commented 6 months ago

I tried it on a different system, with different memory dump. I get this message:

DEBUG    volatility3.framework.symbols.linux.extensions.elf: Unable to check magic bytes for ELF file at offset 0x5d9060675000 in layer layer_name_Process655: Page Fault at entry 0x0 in page entry
DEBUG    volatility3.plugins.linux.elfs: ELF object to be dumped is not valid
  |     OFFSET (V) | PID | TID | PPID |            COMM |           File output
* | 0xa209c2f80000 | 655 | 655 |  297 | droid.bluetooth | Error outputting file
yassine@yassine-ASUS-TUF-Gaming-A15-FA507NV-FA507NV:~/Desktop/memory-analyse/volatility3$
Abyss-W4tcher commented 6 months ago

You should give a shot to : 

mkdir pid_6931_dump
python3 vol.py -vvvvvvv -r pretty -f /home/yassine/Desktop/memory-analyse/avml/dump_2024-04-05_19-51/avml_dump.lime -o pid_6931_dump/ linux.elfs --pid 6931 --dump
file pid_6931_dump/*

The directory pid_6931_dump/ should contain ELFs related to this PID.

yassine955 commented 6 months ago

I will try that!

I tried a different pid, and this happend:

23-11.json
DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.4.61-g4271ad6e8ade (build-user@build-host) (Android (6443078 based on r383902) clang version 11.0.1 (https://android.googlesource.com/toolchain/llvm-project b397f81060ce6d701042b782172ed13bee898b79), LLD 11.0.1 (/buildbot/tmp/tmp6_m7QH b397f81060ce6d701042b782172ed13bee898b79)) #1 SMP PREEMPT Fri Apr 5 00:21:51 CEST 2024\n\x00'
DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/yassine/Desktop/memory-analyse/volatility3/volatility3/symbols/linux/pixel11.json
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Formatting...
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!iommu_param
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!blk_mq_debugfs_attr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
  |     OFFSET (V) |  PID |  TID | PPID |            COMM |                                 File output
* | 0xa209a92abb00 | 9188 | 9188 |  297 | s.youtube.music | pid.9188.s.youtube.music.0x5d9060675000.dmp
yassine955 commented 6 months ago

So I found out that some PIDS work and some don't

yassine955 commented 6 months ago

You should give a shot to :

mkdir pid_6931_dump
python3 vol.py -vvvvvvv -r pretty -f /home/yassine/Desktop/memory-analyse/avml/dump_2024-04-05_19-51/avml_dump.lime -o pid_6931_dump/ linux.elfs --pid 6931 --dump
file pid_6931_dump/*

The directory pid_6931_dump/ should contain ELFs related to this PID.

I can confirm that this methode works!

yassine@yassine-ASUS-TUF-Gaming-A15-FA507NV-FA507NV:~/Desktop/memory-analyse/volatility3/pid_9040_dump$ file *
pid.9040.oid.apps.photos.0x72df1000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (GNU/Linux), dynamically linked, stripped
pid.9040.oid.apps.photos.0xcc2d9000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xcecd9000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xced00000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xced5a000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xcf0c6000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xcf104000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xcf15f000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=22b4c70cd4b906326f21c9b0a5be3e20, stripped
pid.9040.oid.apps.photos.0xcf19d000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xd4bd7000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdda01000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf2c5000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, too large section header offset 1929408111
pid.9040.oid.apps.photos.0xdf2c6000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, too large section header offset 1929408111
pid.9040.oid.apps.photos.0xdf2c7000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf371000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf44a000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf498000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf4d8000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf538000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf544000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xdf583000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe7db2000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe7dc7000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, missing section headers at 9623160
pid.9040.oid.apps.photos.0xe87c8000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe89c1000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe96f0000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9913000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9947000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe99ab000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9ad5000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9b38000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9b51000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9c67000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9d89000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9e5e000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=8a1dc3ec8f74a4b5514d69b130251930, stripped
pid.9040.oid.apps.photos.0xe9e5f000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=8a1dc3ec8f74a4b5514d69b130251930, stripped
pid.9040.oid.apps.photos.0xe9e60000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9f86000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xe9ff3000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xea006000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xea124000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xea142000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xea3ae000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=32c8ca9f3edef9d066b49a816efcd8d1, stripped
pid.9040.oid.apps.photos.0xea9f5000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeaaf2000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, too large section header offset 4035186624
pid.9040.oid.apps.photos.0xeaaf3000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeab28000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeab65000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeab86000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=19c0d83fceb83b1f6232c9b87783e4f8, stripped
pid.9040.oid.apps.photos.0xeabcb000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeac00000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeac8b000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeb201000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeb69b000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeb98c000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xebb47000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xebbd1000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, too large section header offset 1566269278
pid.9040.oid.apps.photos.0xebbd2000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, too large section header offset 1566269278
pid.9040.oid.apps.photos.0xebcf8000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xebd28000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=6efe1509b72a12e9fb0d8200a470e3d3, stripped
pid.9040.oid.apps.photos.0xebd4b000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=d236dc3950f8fd9072dc73c5acb2df01, stripped
pid.9040.oid.apps.photos.0xebd8d000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec111000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec167000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec314000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, not stripped
pid.9040.oid.apps.photos.0xec315000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, not stripped
pid.9040.oid.apps.photos.0xec316000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec341000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec395000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec3c8000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec44b000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, missing section headers at 145252
pid.9040.oid.apps.photos.0xec4aa000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec4eb000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xec9b1000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xeca1b000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xece1d000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=a9c90dbadcf455b71f9c98907fca06ce, stripped
pid.9040.oid.apps.photos.0xecedf000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed08a000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed0d3000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed27d000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[md5/uuid]=2e4f1d5427febc7d79cd6795900e1f5a, stripped
pid.9040.oid.apps.photos.0xed281000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed2c6000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, too large section header offset 3909091328
pid.9040.oid.apps.photos.0xed310000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed349000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed384000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed44d000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xed5da000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
pid.9040.oid.apps.photos.0xee2ea000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, BuildID[xxHash]=9b8f39894216615d, stripped
pid.9040.oid.apps.photos.0xee2eb000.dmp: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, missing section headers at 1577488

The issue I have is the following: I get a bunch of files. Is it possible to export 1 file?

Abyss-W4tcher commented 6 months ago

Unfortunately, this plugin does not support this kind of option, like the proc plugin does :

$ linux.proc -h 
Volatility 3 Framework 2.7.0
usage: volatility linux.proc.Maps [-h] [--pid [PID ...]] [--dump]
                                  [--address [ADDRESS ...]]
                                  [--maxsize MAXSIZE]

options:
  -h, --help            show this help message and exit
  --pid [PID ...]       Filter on specific process IDs
  --dump                Extract listed memory segments
  --address [ADDRESS ...]
                        Process virtual memory addresses to include (all other
                        VMA sections are excluded). This can be any virtual
                        address within the VMA section.
  --maxsize MAXSIZE     Maximum size for dumped VMA sections (all the bigger
                        sections will be ignored)
yassine955 commented 6 months ago

For those who want the solution.

If you get the same error: Error outputting file

Then the solution is from @Abyss-W4tcher

mkdir pid_6931_dump python3 vol.py -vvvvvvv -r pretty -f [FILE] -o [OUTPUT_FOLDER] linux.elfs --pid [ID] --dump file pid_6931_dump/*

ikelos commented 6 months ago

Glad you managed to get this resolved.