search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

unable to validate the plugin requirements #715

Closed lic-8 closed 1 year ago

lic-8 commented 2 years ago

i dumped my 32gigs linux machine memory using LiME and tried to analyze it with vol.py and here is the error:

user@hp-workstation:~/Documents/volatility3$ python3.7 vol.py -vvv -f ~/LiME/my_machine.mem linux.bash.Bash
Volatility 3 Framework 2.0.3
INFO     volatility3.cli: Volatility plugins path: ['/home/user/Documents/volatility3/volatility3/plugins', '/home/user/Documents/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/user/Documents/volatility3/volatility3/symbols', '/home/user/Documents/volatility3/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash
INFO     volatility3.framework.automagic: Running automagic: SymbolBannerCache
INFO     volatility3.framework.automagic: Running automagic: LinuxBannerCache
INFO     volatility3.framework.automagic.symbol_cache: Building linux caches...
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel
INFO     volatility3.framework.automagic.linux: No Linux banners found - if this is a linux plugin, please check your symbol files location
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel

Unsatisfied requirement plugins.Bash.kernel: Linux kernel
Unable to validate the plugin requirements: ['plugins.Bash.kernel']

i am currently unable to determine the cause of this problem, i would really appreciate the help of a kind person please :)

ikelos commented 2 years ago

Hiya,

This line: DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer'] shows you that it was able to find the lime layer, but not the intel layer that should have been on top of it. Linux does things in a slightly different order to windows. Windows find the DTB using a windows-specific trick, and then locates the version of the OS. Linux looks for the kernel banner to determine the OS version, and then figures out the DTB from the OS specific symbols.

In this case the LinuxSymbolFinder runs, but doesn't report finding a kernel that you have symbols for, so you'll need to identify the kernel using the banners plugin, then get the symbols ISF JSON file, and install it so that the isfinfo plugin lists exactly the same value as you got out of banners, then you should have more luck running the plugins.

I think the error message has been slightly improved in a relatively recent commit, but essentially, it's a lack of the appropriate JSON file. See https://volatility3.readthedocs.io/en/latest/symbol-tables.html#mac-linux-symbol-tables for more details.

Please let us know how you get on, so we can close this issue off. I'm going to mark it as awaiting a reply until then... 5:)

lic-8 commented 2 years ago

Thank you for this fast answer ! If I understand correctly (which is possible that I don't) I can fix this issue by downloading locally all the symbol tables for linux and put it to symbols/ folder ? This is what I made for windows, I have a bunch of .json.xz files locally.

user@hp-workstation:~/Documents/volatility3$ python3.7 vol.py -f ~/LiME/my_machine.mem banners
Volatility 3 Framework 2.0.3
Progress:  100.00       PDB scanning finished                  
Offset  Banner

0x2c00001a0 Linux version 5.4.0-105-generic (buildd@ubuntu) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119~18.04.1-Ubuntu SMP Tue Mar 8 11:21:24 UTC 2022 (Ubuntu 5.4.0-105.119~18.04.1-generic 5.4.174)
0x7fd0cf850 Linux version 5.4.0-105-generic (buildd@ubuntu) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119~18.04.1-Ubuntu SMP Tue Mar 8 11:21:24 UTC 2022 (Ubuntu 5.4.0-105.119~18.04.1-generic 5.4.174)
ikelos commented 2 years ago

Hehehe, no problem.

Yes, you need to get the JSON ISF file for exactly this kernel:

Linux version 5.4.0-105-generic (buildd@ubuntu) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #119~18.04.1-Ubuntu SMP Tue Mar 8 11:21:24 UTC 2022 (Ubuntu 5.4.0-105.119~18.04.1-generic 5.4.174)

You can see whether it's already up on the community project which houses a bunch of linux/mac JSON files: https://isf-server.techanarchy.net/, otherwise you'll need to create them yourself (the documentation link above should direct you somewhat on doing that).

Once you've got the JSON file it'll need to live under symbols/linux to work (there's a pull request in to change that so all JSON files regardless of OS are found anywhere under the symbols directory, but for now it needs to be under linux specifically).

lic-8 commented 2 years ago

Do you know where can I download at once every known symbol pack (windows/linux/mac) ? I'm working on an automation tool for volatility and I really need them

ikelos commented 2 years ago

Since every linux kernel can be custom compiled, there is no pack to get them all. For mac there's only a specific number of kernels, but we don't update the pack that often since it's somewhat time consuming. The ISF server mentioned above is a good place to look for JSON files that the community has generated, but as I say, one change in the configuration and the symbols and structures could be off leading to bad results. That's why we match on the banner exactly and why it's not feasible to provide packs for every OS.

ikelos commented 2 years ago

Slack might be a good place if you've got quick questions, but to answer, there's Linux support but no arm space support so it's unlikely you can do a great deal with Android yet.

On Tue, 26 Apr 2022, 15:36 lic-8, @.***> wrote:

Thanks for your reply. By the way, I have another question, it is unrelated to this issue but I don't want to create an issue for that. Can vol3 perform android analysis as easily as vol 2 ?

— Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility3/issues/715#issuecomment-1109877367, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIZVIHXEVNFKJMATAPLWDVG75P5ANCNFSM5ULBXLVQ . You are receiving this because you modified the open/close state.Message ID: @.***>

ikelos commented 1 year ago

I think this question has been answered, and isn't a commonly repeating question, so I'm going to mark it off as closed. Please feel free to reopen if you feel there's more than can be added to this.