Estoy intentando usar volatility3 para examinar una imagen de Linux que creé usando LiME, ejecuto el siguiente comando con los errores... (Descargué el archivo de símbolos linux.zip del repositorio de volatility y también lo coloqué en /volatility/symbols )
También intenté crear mi propio archivo json usando
./dwarf2json linux --system-map /boot/System.map-5.9.0-kali1-amd64 > kali.json
Por favor ayuda. Gracias.
python3 vol.py -vvvvvvv -f /Linux64.mem linux.pslist.PsList 1 ⨯
Volatility 3 Framework 2.0.0
INFO root : Volatility plugins path: ['/home/user/apps/volatility3/volatility/plugins', '/home/user/apps/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/apps/volatility3/volatility/symbols', '/home/user/apps/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/plugins, /home/user/apps/volatility3/volatility/framework/plugins
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/automagic
Level 7 root : Cache directory used: /home/user/.cache/volatility3
INFO volatility.framework.automagic: Detected a linux category plugin
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 6 volatility.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/user/apps/volatility3/volatility/symbols, /home/user/apps/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility.framework.automagic.linux: No suitable linux banner could be matched
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']
Respuesta1
Después de investigar mucho, logré encontrar fragmentos que me ayudaron a resolver el problema anterior. Consejos para ejecutar volatility3 con éxito en Ubuntu o Kali:
- Descargue los símbolos de depuración del kernel correctos (sudo apt install linux-image-xxxx-dbg) (generalmente ubicados en /usr/lib/debug/boot/vmlinux-xxx (archivo elf)
- Descargue y use dwarf2json del repositorio Volatility github
- Convierta System.map-xxx (que se encuentra en /usr/lib/debug/boot) y vmlinux (como arriba) a un archivo json usando el comando dwarf2json linux --elf vmlinux-xxx --system-map System.map-xxx | xz -c > salida.json.xz
- Coloque el archivo output.json.xz en los directorios volatility3/volatility/symbols, volatility3/volatility/symbols/linux y volatility3/volatility/framework/symbols.
- ejecute el comando python3.x vol.py -f /linux.image linux.pslist.PsList (complemento)
- Si no tiene éxito, intente vol.py --clear-cache
- considere usar avml (binario de captura de memoria de Microsoft, disponible para Linux) para obtener una imagen de memoria
- Por último *Asegúrese de que se cumplan todas las dependencias de volatilidad (pycrypto, yara, etc.)
- NB: los volcados de memoria de Windows funcionan bien desde el primer momento
Lo anterior debería resolver la mayoría de los problemas de volatilidad3, probado en Ubuntu (Focal Fossa) y Kali-2020.4