LiME を使用して作成した Linux イメージを volatility3 を使用して調べようとしています。エラーが発生している状態で次のコマンドを実行します。(volatility リポジトリから linux.zip シンボル ファイルをダウンロードし、/volatility/symbols に配置しました)
また、独自のjsonファイルを作成しようとしました
./dwarf2json linux --system-map /boot/System.map-5.9.0-kali1-amd64 > kali.json
助けてください。ありがとうございます。
python3 vol.py -vvvvvvv -f /Linux64.mem linux.pslist.PsList 1 ⨯
Volatility 3 Framework 2.0.0
INFO root : Volatility plugins path: ['/home/user/apps/volatility3/volatility/plugins', '/home/user/apps/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/apps/volatility3/volatility/symbols', '/home/user/apps/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/plugins, /home/user/apps/volatility3/volatility/framework/plugins
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/automagic
Level 7 root : Cache directory used: /home/user/.cache/volatility3
INFO volatility.framework.automagic: Detected a linux category plugin
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 6 volatility.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/user/apps/volatility3/volatility/symbols, /home/user/apps/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility.framework.automagic.linux: No suitable linux banner could be matched
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']
答え1
いろいろ調べた結果、上記の問題を解決するのに役立つ情報を見つけることができました。Ubuntu または Kali で volatility3 を正常に実行するためのヒント:
- 正しいカーネル デバッグ シンボルをダウンロードします (sudo apt install linux-image-xxxx-dbg) (通常は /usr/lib/debug/boot/vmlinux-xxx (elf ファイル) にあります)
- Volatility githubリポジトリからdwarf2jsonをダウンロードして使用する
- System.map-xxx (/usr/lib/debug/boot 内) と vmlinux (上記) を、コマンド dwarf2json linux --elf vmlinux-xxx --system-map System.map-xxx | xz -c > output.json.xz を使用して json ファイルに変換します。
- output.json.xzファイルをvolatility3/volatility/symbols、volatility3/volatility/symbols/linux、volatility3/volatility/framework/symbolsディレクトリに配置します。
- コマンドpython3.x vol.py -f /linux.image linux.pslist.PsList (プラグイン)を実行します。
- 失敗した場合は、vol.py --clear-cacheを試してください。
- メモリイメージを取得するには、avml(Microsoft メモリキャプチャバイナリ、Linux で利用可能)の使用を検討してください。
- 最後に*ボラティリティのすべての依存関係が満たされていることを確認します(pycrypto、yaraなど)
- 注意:Windowsのメモリダンプはそのままでも問題なく動作します
上記は、Ubuntu (Focal Fossa) と Kali-2020.4 でテストされた volatility3 のほとんどの問題を解決するはずです。