Open gleeda opened 4 years ago
ikelos
commented
4 years ago Just to keep everything in one place, I'd recommend a LinuxMixin (that follows the same procedures as the WindowsMixin, including subclasses with Intel and the LinuxMixin) and then update the LintelStacker class to use those classes instead of the stock Intel ones...
gleeda
commented
4 years ago Just a note that I'm hoping we'll have a resolution to the unnamed_field issue soon. It is currently a potential blocker for verifying this issue: #151
ikelos
commented
4 years ago gleeda
commented
4 years ago I'm still having issues getting dwarf2json profiles to work with this version of Kali for some reason :-/
Volatility 3 Framework 1.0.0-beta.1
INFO root : Volatility plugins path: ['/Users/gleeda/Work/DEV/volatility3/volatility/plugins', '/Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/Users/gleeda/Work/DEV/volatility3/volatility/symbols', '/Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols']
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.yarascan based on file: yarascan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.svcscan based on file: windows/svcscan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.vadyarascan based on file: windows/vadyarascan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.callbacks based on file: windows/callbacks
INFO volatility.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'pefile'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.verinfo based on file: windows/verinfo
INFO root : The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.callbacks, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
INFO volatility.framework.automagic: Detected a linux category plugin
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Unsatisfied requirement plugins.Maps.primary: Memory layer for the kernel
Unsatisfied requirement plugins.Maps.vmlinux: Linux kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.Maps.primary', 'plugins.Maps.vmlinux']```When running it on a different copy of memory from the same machine, I get a little bit further:
INFO root : Volatility symbols path: ['/Users/gleeda/Work/DEV/volatility3/volatility/symbols', '/Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/plugins, /Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.yarascan based on file: yarascan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.svcscan based on file: windows/svcscan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.vadyarascan based on file: windows/vadyarascan
INFO volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'yara'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.callbacks based on file: windows/callbacks
INFO volatility.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG volatility.framework: No module named 'pefile'
DEBUG volatility.framework: Failed to import module volatility.plugins.windows.verinfo based on file: windows/verinfo
INFO root : The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.callbacks, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/automagic
Level 7 root : Cache directory used: /Users/gleeda/.cache/volatility3
INFO volatility.framework.automagic: Detected a linux category plugin
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /Users/gleeda/Work/DEV/volatility3/volatility/symbols, /Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Level 8 volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
INFO volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LintelStacker
DEBUG volatility.framework.automagic.linux: Identified banner: b'Linux version 5.3.0-kali2-amd64 (devel@kali.org) (gcc version 9.2.1 20191102 (Debian 9.2.1-17)) #1 SMP Debian 5.3.9-1kali1 (2019-11-11)\n\x00'
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!s_pstats
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!s_stats
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!ebt_table
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!dn_dev
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!phy_led_trigger
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG volatility.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG volatility.framework.automagic.linux: Linux ASLR shift values determined: physical 77a00000 virtual 35e00000
DEBUG volatility.framework.automagic.linux: DTB was found at: 0x79a0a000
Level 8 volatility.framework.automagic.stacker: Stacked IntelLayer using LintelStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary.memory_layer
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 6 volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
DEBUG volatility.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.3.0-kali2-amd64 (devel@kali.org) (gcc version 9.2.1 20191102 (Debian 9.2.1-17)) #1 SMP Debian 5.3.9-1kali1 (2019-11-11)\n\x00'
DEBUG volatility.framework.automagic.symbol_finder: Using symbol library: file:///Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols/linux/kali.json
INFO volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility.schemas: All validations will report success, even with malformed input
PID Process Start End Flags PgOff Major Minor Inode File Path
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!netns_ipvs
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!mtd_info
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!s_pstats
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!can_dev_rcv_lists
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!s_stats
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!mpls_route
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!sctp_mib
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!ebt_table
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!dn_dev
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!garp_port
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!mpls_dev
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!mrp_port
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!sfp_bus
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!tipc_bearer
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!assoc_array_ptr
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!pcpu_dstats
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_conn
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_cached_keys
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_cqm_config
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_internal_bss
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!phy_led_trigger
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!phylink
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!libipw_device
DEBUG volatility.framework.symbols: Unresolved reference: vmlinux1!reset_control
DEBUG root : Traceback (most recent call last):
File "/Users/gleeda/Work/DEV/volatility3/volatility/cli/__init__.py", line 292, in run
renderers[args.renderer]().render(constructed.run())
File "/Users/gleeda/Work/DEV/volatility3/volatility/cli/text_renderer.py", line 163, in render
grid.populate(visitor, outfd)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
for (level, item) in self._generator:
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins/linux/proc.py", line 30, in _generator
for task in tasks:
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins/linux/pslist.py", line 82, in list_tasks
for task in init_task.tasks:
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols/linux/extensions/__init__.py", line 293, in to_list
link = getattr(self, direction).dereference()
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/__init__.py", line 707, in __getattr__
member = template(context = self._context, object_info = object_info)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/templates.py", line 72, in __call__
return self.vol.object_class(context = context, object_info = object_info, **arguments)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/__init__.py", line 120, in __new__
value = cls._unmarshall(context, data_format, object_info)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/__init__.py", line 304, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, length)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/interfaces/layers.py", line 540, in read
return self[layer].read(offset, length, pad)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/linear.py", line 38, in read
for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/intel.py", line 197, in mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/intel.py", line 99, in _translate
entry, position = self._translate_entry(offset)
File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/intel.py", line 125, in _translate_entry
"Page Fault at entry " + hex(entry) + " in table " + name)
volatility.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page table
Volatility was unable to read a requested page:
Page error 0xffff82013b50 in layer primary (Page Fault at entry 0x0 in table page table)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility (re-run with -vvv and file a bug)
No further results will be produced```
cstation
commented
3 years ago Encountering the same errors as @gleeda is doing here. I've created an Ubuntu 20.04 VM (using VMware). Installed linux-image-$(uname -r)-dbgsym and generated a profile with dwarf2json. Created a snapshot of the VM and ran volatility3 on the .vmem-file of this snapshot.
Is there any progress on this issue?
ikelos
commented
3 years ago So given the #151 is complete, this still needs code writing for the LinuxMixin that will accept bit 0 as unset when bit 9 is set, which I think @gleeda offered to do since this is assigned to her. Happy to provide support and help with this, but if it needs the dwarf2json guys to help then let's bring them in...
gleeda
commented
3 years ago @gleeda Yes, sorry! I'll get it in here in a bit.
gleeda
commented
3 years ago Encountering the same errors as @gleeda is doing here. I've created an Ubuntu 20.04 VM (using VMware). Installed
linux-image-$(uname -r)-dbgsymand generated a profile with dwarf2json. Created a snapshot of the VM and ran volatility3 on the.vmem-file of this snapshot.Is there any progress on this issue?
I think the issue was due to #151 . If so, then maybe we need to have another look at it? @ikelos @cstation
cstation
commented
3 years ago @gleeda @ikelos I'm sorry if I caused any misunderstandings. I commented not because of the initial topic of the issue (The _PAGE_PRESENT bit is cleared when mprotect(...PROT_NONE) is called on a page), but because I encounter the same issues with getting the dwarf2json profiles to work, just like @gleeda encountered Page errors in her comments on 12 Jun 2020..
The issue of page errors is popping up more frequent, for example down in #215 or in #356. I do not know what exactly causes these errors, but since this issue is even encountered by Volatility Core Developers :wink:, it is likely that it is not merely due to wrong usage of dwarf2json or volatility3.
Maybe it is due to an issue with dwarf2json (something like their Issue #25), but I'm missing the expertise to say anything meaningful about that.
ikelos
commented
3 years ago Ah, thanks for the clarification @cstation . Page errors occur when the page table (which modern systems use to make memory more manoeuvrable and easier to manage) maps to an address that doesn't exist. The error message tells you where in the table it failed, but unfortunately this kind of error can either be because volatility asks for something that doesn't exist, or asks for something that should exist but due to the memory image and how it was acquired, it does not.
The memory image can cause page errors for two reasons, either the format it's written in doesn't have all the information it needs (for instance, modern vmem files require a vmsn or vmss file with the same name to be in the same directory as them) or because whilst the memory was being acquired (which takes time) it changed (and the memory that had been mapped in one place changed where it lived.
In most cases, the underlying memory image isn't perfect, and there's not a great deal we can do about those, but in certain circumstances we do the wrong thing (either because we've never encountered it before, or we just made a mistake). In cases like that we'd need to dig into what was being done at the time, but a separate issue helps us keep track of everything that's going on.
In short, page errors are indicative that something went wrong, but the occurrence of a page error doesn't give us any clues as to exactly what went wrong. 5:S
ikelos
commented
3 years ago @gleeda did you regenerate the symbols after #151 (and its related changes in dwarf2json) were made? Without more information it's difficult to tell whether #151 is still an issue or not. I'm also not sure why the JSON affects how page mapping happens? I thought it was a modification to the IntelLayer?
ikelos
commented
3 years ago Sorry, just trying to keep on top of this. Any progress here @gleeda? Is this still a problem @cstation ?
cstation
commented
3 years ago This specific issue is not a problem for me anymore, since my problem was in the end related to how vmem-files were read. Nevertheless, the original issue posed by @gleeda could still be an unsolved bug.
The
_PAGE_PRESENTbit is cleared whenmprotect(...PROT_NONE)is called on a page, therefore it is missed.See: https://volatility-labs.blogspot.com/2015/05/using-mprotect-protnone-on-linux.html