search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.72k stars 463 forks source link

Unable to Retrieve Results despite correct symbol table and memory dump #1265

Closed misogare closed 2 months ago

misogare commented 2 months ago

Describe the bug As stated, i have tried to run linux.pslist.PsList on several different distributions including kali,debian,ubuntu with precise symbols and configuration either manually grabbed or from repositories but still i get similar log as this : ` ─$ python3 vol.py -vvv -f /mnt/hgfs/shared/memd.raw linux.pslist.PsList
Volatility 3 Framework 2.10.0 INFO volatility3.cli: Volatility plugins path: ['/home/kali/volatility3/volatility3/plugins', '/home/kali/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/kali/volatility3/volatility3/symbols', '/home/kali/volatility3/volatility3/framework/symbols'] DEBUG volatility3.plugins.yarascan: Using yara-python module INFO volatility3.framework.automagic: Detected a linux category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.15.0-121-generic (buildd@lcy02-amd64-009) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #131~20.04.1-Ubuntu SMP Mon Aug 12 13:09:56 UTC 2024 (Ubuntu 5.15.0-121.131~20.04.1-generic 5.15.163)\n\x00' DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats_rsn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!macsec_ops DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mctp_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dsa_8021q_context DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 7ac54000 virtual 2f400000 DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x7da64000 DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 4294367231 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.15.0-121-generic (buildd@lcy02-amd64-009) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #131~20.04.1-Ubuntu SMP Mon Aug 12 13:09:56 UTC 2024 (Ubuntu 5.15.0-121.131~20.04.1-generic 5.15.163)\n\x00' DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/kali/volatility3/volatility3/symbols/linux/Ubuntu_5.15.0-121-generic_5.15.0-121.131~20.04.1_amd64.json.xz INFO volatility3.framework.automagic: Running automagic: KernelModule

OFFSET (V) PID TID PPID COMM File output DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!macsec_ops DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mctp_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context

`

Context Volatility Version: 2.10 Operating System: kali Python Version: python 3.11.9 Suspected Operating System: ubuntu Command:

Without Verbose behavior this is how i get it without the verbose └─$ python3 vol.py -f /mnt/hgfs/shared/memd.raw linux.pslist.PsList Volatility 3 Framework 2.10.0 Progress: 100.00 Stacking attempts finished OFFSET (V) PID TID PPID COMM File output

Operating systems tried kali,ubuntu,debian

note: its not just pslist other commands also retrive nothing correct symbol matching but nothing in return

Abyss-W4tcher commented 2 months ago

Hello, what procedure are you using to generate the memory dump ?

misogare commented 2 months ago

Hello, what procedure are you using to generate the memory dump ?

LiME at first, i will clone the LiME repository then go to src install go do make and if the headers exist it will go smooth and generate me a raw format i will use format=raw to give the raw format as well so this is the command sudo insmod lime.5.15.0-121.ko "path=~/memdump.raw format=raw"

and it generates me the dump

Abyss-W4tcher commented 2 months ago

As hinted here : https://github.com/504ensicsLabs/LiME/issues/111, the "raw" format is not suitable for forensic analysis with Volatiltiy. You should use the "lime" format for your captures :)