PNW-Hacker
commented
1 day ago I have no idea why there are strikeouts in part of the debug, I just copied the entire contents of -vvv
Closed PNW-Hacker closed 1 day ago
PNW-Hacker
commented
1 day ago I have no idea why there are strikeouts in part of the debug, I just copied the entire contents of -vvv
ikelos
commented
1 day ago That's ok, one of the Ubuntu version banners contains the ~ character
which GitHub then interprets as the markdown for "start strikethrough".
There isn't another one for a while to end it, which is why so much is
struck out. Happens often and nothing to worry about, we're happy reading
around it. 5;)
On Tue, 12 Nov 2024, 08:42 PNW-Hacker, @.***> wrote:
I have no idea why there are strikeouts in part of the debug, I just copied the entire contents of -vvv
— Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility3/issues/1349#issuecomment-2469914431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIZVPLNNOASCO4UKB4RVD2AG5QTAVCNFSM6AAAAABRTP44LKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRZHEYTINBTGE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
ikelos
commented
1 day ago As to the issue, I don't know how the symbols were constructed, as
symbol_maker isn't an official tool. That means it may produce an
incomplete ISF which could cause problems (as I say, I don't know how it
does it, it might be fine but I've no way of telling). Lastly, I don't
think --dump take a parameter, it just outputs all files in the output to
the dump directory (which can be set as a volatility wide value with
vol.py -O directory <normal vol options> <plugin> <plugin options>. So
if you're looking explicitly for a file called passwd.txt, it probably
won't be there.
On Tue, 12 Nov 2024, 10:34 Mike Auty, @.***> wrote:
That's ok, one of the Ubuntu version banners contains the
~character which GitHub then interprets as the markdown for "start strikethrough". There isn't another one for a while to end it, which is why so much is struck out. Happens often and nothing to worry about, we're happy reading around it. 5;)On Tue, 12 Nov 2024, 08:42 PNW-Hacker, @.***> wrote:
I have no idea why there are strikeouts in part of the debug, I just copied the entire contents of -vvv
— Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility3/issues/1349#issuecomment-2469914431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIZVPLNNOASCO4UKB4RVD2AG5QTAVCNFSM6AAAAABRTP44LKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRZHEYTINBTGE . You are receiving this because you are subscribed to this thread.Message ID: @.***>
gcmoreira
commented
1 day ago Hey @PNW-Hacker,
On the one hand, the CachedPages field, as follows, shows 0 pages, meaning that no pages are currently stored in the Page Cache for the /etc/passwd inode.
$ python3 ./vol.py \
-r pretty -f ~/Downloads/linux.mem \
linux.pagecache.Files --find /etc/passwd
Volatility 3 Framework 2.11.0
| SuperblockAddr | MountPoint | Device | InodeNum | InodeAddr | FileType | InodePages | CachedPages | FileMode | AccessTime | ModificationTime | ChangeTime | FilePath
* | 0x890488cd3000 | / | 253:0 | 525877 | 0x89049a298dc0 | REG | 1 | 0 | -rw-r--r-- | 2023-11-07 03:28:59.412000 UTC | 2023-11-07 03:28:59.404000 UTC | 2023-11-07 03:28:59.408000 UTC | /etc/passwdAlso, as you can see below, the plugin doesn't produce any backtrace like the one shown in your output, confirming my suspicion that the tool you're using isn't generating the ISF correctly.
$ python3 ./vol.py \
-f ~/Downloads/linux.mem \
linux.pagecache.InodePages --find /etc/passwd
Volatility 3 Framework 2.11.0
PageVAddr PagePAddr MappingAddr Index DumpSafe Flags
On the other hand, for the /home/paco/pkexecc file inode, 5 out of 5 pages are in the Page Cache.
$ python3 ./vol.py \
-r pretty \
-f ~/Downloads/linux.mem \
linux.pagecache.Files --find /home/paco/pkexecc
Volatility 3 Framework 2.11.0
| SuperblockAddr | MountPoint | Device | InodeNum | InodeAddr | FileType | InodePages | CachedPages | FileMode | AccessTime | ModificationTime | ChangeTime | FilePath
* | 0x890488cd3000 | / | 253:0 | 655377 | 0x8903b2364120 | REG | 5 | 5 | -rwxrwxr-x | 2023-11-07 03:50:17.239537 UTC | 2023-11-07 03:50:11.215537 UTC | 2023-11-07 03:50:11.215537 UTC | /home/paco/pkexeccThis allows you to recover the entire file content.
$ python3 ./vol.py \
-r pretty \
-f ~/Downloads/linux.mem \
linux.pagecache.InodePages --find /home/paco/pkexecc --dump pkexecc
Volatility 3 Framework 2.11.0
| PageVAddr | PagePAddr | MappingAddr | Index | DumpSafe | Flags
* | 0xf3b3c0bf7c80 | 0x2fdf2000 | 0x8903b2364298 | 0 | True | lru,private,referenced,slob_free,uptodate,workingset
* | 0xf3b3c0bf7cc0 | 0x2fdf3000 | 0x8903b2364298 | 1 | True | lru,private,referenced,slob_free,uptodate,workingset
* | 0xf3b3c0bf7d00 | 0x2fdf4000 | 0x8903b2364298 | 2 | True | lru,private,referenced,slob_free,uptodate,workingset
* | 0xf3b3c0bf7d40 | 0x2fdf5000 | 0x8903b2364298 | 3 | True | lru,private,referenced,slob_free,uptodate,workingset
* | 0xf3b3c0bf7d80 | 0x2fdf6000 | 0x8903b2364298 | 4 | True | lru,private,slob_free,uptodate
$ file pkexecc
pkexecc: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=fd9f21bc0e05318396f2737a7a74c5ca659f3347, for GNU/Linux 3.2.0, not strippedPlease read Steps for constructing a new kernel ISF JSON file in https://volatility3.readthedocs.io/en/latest/symbol-tables.html
In your case, you could have used, for example:
$ ~/dwarf2json_git/dwarf2json linux --elf ./vmlinux-5.4.0-166-generic > [your_volatility3_path]/volatility3/symbols/Ubuntu_5.4.0-166-focal-20.04.json@ikelos please close this issue, not a bug.
ikelos
commented
1 day ago @PNW-Hacker , as mentioned symbol_maker is a tool we don't have much (any) experience with and it appears not to produce suitable symbol tables. There doesn't appear to be a bug in the plugins, hopefully the discussion has given you some direction to follow. If you feel there is still an underlying bug, feel free to reopen this and explain what specific change you think is necessary...
Describe the bug I'm not entirely sure it is a bug (probably), but also the memory dump isn't mine, so idk how much y'all are able to help in this case. But nevertheless, I'll create this and let y'all decide how to proceed (rather that be assist in troubleshooting or classify it as out-of-scope)
There is a TryHackMe room (it's a free room) called Profiles. https://tryhackme.com/r/room/profilesroom While the room does say it's best to be completed using Vol2, I was hoping it could be completed with Vol3.
Context Volatility Version: Volatility 3 Framework 2.11.0 Operating System: Kali Linux (most up-to-date version, running within VirtualBox) Python Version: 3.12.6 Suspected Operating System: Ubuntu 20.05 version 5.4.0-166-generic Command: python3 /home/kali/Desktop/volatility3/vol.py -f linux.mem linux.pagecache.InodePages --find /etc/passwd --dump passwd.txt
To Reproduce Steps to reproduce the behavior:
Within folder: /Volatility_Symbols/volatility_symbols run: python3 symbol_maker.py -d ubuntu -k '5.4.0-166-generic' Since I was running these commands from the github clone I copied the xz file to: /home/kali/Desktop/volatility3/volatility3/symbols/ and then ran unxz to extract it
Use command 'python3 /home/kali/Desktop/volatility3/vol.py -f linux.mem linux.pagecache.InodePages --find /etc/passwd --dump passwd.txt' (I just git cloned the vol3 repo to that directory within Kali, so how you run vol3 probably doesn't matter)
See error I don't get an error with the passwd file, nothing is there
The file I am trying to pull down: /home/paco/pkexecc This file does give me an error: https://github.com/volatilityfoundation/volatility3/issues/1312
Expected behavior I was hoping that the data file would be dumped along with its contents (how you can do in vol2 using enumerate_files -O) If you search for Question 3 within this repo, you'll see that this user uses vol2 and extracts the file, and is able to then grab the md5sum of said file: https://medium.com/@lukwagoasuman236/tryhackme-profiles-write-up-60202db52210
Example output Please copy and paste the text demonstrating the issue, ideally with verbose output turned on (
vol.py -vvv ...).python3 /home/kali/Desktop/volatility3/vol.py -vvv -f linux.mem linux.pagecache.InodePages --find /etc/passwd [ 3:26AM ]
/usr/lib/python3/dist-packages/smb/SMBConnection.py:21: SyntaxWarning: invalid escape sequence '\/' ''' /usr/lib/python3/dist-packages/smb/base.py:2624: SyntaxWarning: invalid escape sequence '\/' """ Volatility 3 Framework 2.11.0 INFO volatility3.cli: Volatility plugins path: ['/home/kali/Desktop/volatility3/volatility3/plugins', '/home/kali/Desktop/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/kali/Desktop/volatility3/volatility3/symbols', '/home/kali/Desktop/volatility3/volatility3/framework/symbols'] DEBUG volatility3.plugins.yarascan: Using yara-python module DEBUG volatility3.framework: Traceback (most recent call last): File "/home/kali/Desktop/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.12/importlib/init.py", line 90, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "", line 1387, in _gcd_import
File "", line 1360, in _find_and_load
File "", line 1331, in _find_and_load_unlocked
File "", line 935, in _load_unlocked
File "", line 995, in exec_module
File "", line 488, in _call_with_frames_removed
File "/home/kali/Desktop/volatility3/volatility3/framework/plugins/windows/hashdump.py", line 10, in
from Crypto.Cipher import AES, ARC4, DES
ModuleNotFoundError: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/kali/Desktop/volatility3/volatility3/framework/plugins/windows/hashdump.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/kali/Desktop/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.12/importlib/init.py", line 90, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "", line 1387, in _gcd_import
File "", line 1360, in _find_and_load
File "", line 1331, in _find_and_load_unlocked
File "", line 935, in _load_unlocked
File "", line 995, in exec_module
File "", line 488, in _call_with_frames_removed
File "/home/kali/Desktop/volatility3/volatility3/framework/plugins/windows/cachedump.py", line 8, in
from Crypto.Cipher import ARC4, AES
ModuleNotFoundError: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/kali/Desktop/volatility3/volatility3/framework/plugins/windows/cachedump.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/kali/Desktop/volatility3/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.12/importlib/init.py", line 90, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "", line 1387, in _gcd_import
File "", line 1360, in _find_and_load
File "", line 1331, in _find_and_load_unlocked
File "", line 935, in _load_unlocked
File "", line 995, in exec_module
File "", line 488, in _call_with_frames_removed
File "/home/kali/Desktop/volatility3/volatility3/framework/plugins/windows/lsadump.py", line 8, in
from Crypto.Cipher import ARC4, DES, AES
ModuleNotFoundError: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/kali/Desktop/volatility3/volatility3/framework/plugins/windows/lsadump.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump INFO volatility3.framework.automagic: Detected a linux category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - dump requirements only accept str type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - dump requirements only accept str type: None INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)\n\x00' DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical d2600000 virtual 39800000 DEBUG volatility3.framework.automagic.linux: DTB was found at: 0xd500a000 DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name.memory_layer DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.InodePages.kernel.layer_name.memory_layer.base_layer DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.InodePages DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - inode requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - dump requirements only accept str type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - dump requirements only accept str type: None DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 4294503519 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.InodePages.kernel.symbol_table_name DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.4.0-166-generic (buildd@lcy02-amd64-011) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)) #183-Ubuntu SMP Mon Oct 2 11:28:33 UTC 2023 (Ubuntu 5.4.0-166.183-generic 5.4.252)\n\x00' DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/kali/Desktop/volatility3/volatility3/symbols/5.4.0-166-generic.json INFO volatility3.framework.automagic: Running automagic: KernelModule
PageVAddr PagePAddr MappingAddr Index DumpSafe Flags DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
Additional information This is where it comes into play as to if y'all would be able to help me or if this is out-of-scope. This is for a TryHackMe, so I don't know anything when in regards to how the memory dump was compiled and such, I just know that when running the linux.bash.Bash command, I could see the version of Ubuntu it was running, so I could then build the symbols file