LiME를 사용하여 생성한 Linux 이미지를 검사하기 위해 volatility3을 사용하려고 합니다. 오류가 있는 다음 명령을 실행합니다. (휘발성 저장소에서 linux.zip 기호 파일을 다운로드하고 /volatility/symbols에도 배치했습니다. )
또한 다음을 사용하여 내 자신의 json 파일을 만들려고했습니다.
./dwarf2json linux --system-map /boot/System.map-5.9.0-kali1-amd64 > kali.json
도와주세요. 감사해요.
python3 vol.py -vvvvvvv -f /Linux64.mem linux.pslist.PsList 1 ⨯
Volatility 3 Framework 2.0.0
INFO root : Volatility plugins path: ['/home/user/apps/volatility3/volatility/plugins', '/home/user/apps/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/apps/volatility3/volatility/symbols', '/home/user/apps/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/plugins, /home/user/apps/volatility3/volatility/framework/plugins
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/automagic
Level 7 root : Cache directory used: /home/user/.cache/volatility3
INFO volatility.framework.automagic: Detected a linux category plugin
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 6 volatility.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/user/apps/volatility3/volatility/symbols, /home/user/apps/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility.framework.automagic.linux: No suitable linux banner could be matched
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']
답변1
많은 조사 끝에 위의 문제를 해결하는 데 도움이 되는 부분을 찾을 수 있었습니다. Ubuntu 또는 Kali에서 volatility3를 성공적으로 실행하기 위한 팁:
- 올바른 커널 디버그 기호(sudo apt install linux-image-xxxx-dbg)를 다운로드합니다(보통 위치는 /usr/lib/debug/boot/vmlinux-xxx(elf 파일))
- Volatility github 저장소에서 dwarf2json을 다운로드하여 사용하세요.
- dwarf2json linux --elf vmlinux-xxx --system-map System.map-xxx | 명령을 사용하여 System.map-xxx(/usr/lib/debug/boot에 있음) 및 vmlinux(위와 같음)를 json 파일로 변환합니다. xz -c > 출력.json.xz
- volatility3/volatility/symbols, volatility3/volatility/symbols/linux 및 volatility3/volatility/framework/symbols 디렉터리에 output.json.xz 파일을 배치합니다.
- python3.x vol.py -f /linux.image linux.pslist.PsList(플러그인) 명령을 실행하십시오.
- 실패하면 vol.py --clear-cache를 시도해 보세요.
- 메모리 이미지를 얻기 위해 avml(linux에서 사용 가능한 Microsoft 메모리 캡처 바이너리) 사용을 고려해보세요.
- 마지막으로 *변동성에 대한 모든 종속성이 충족되는지 확인하세요(pycrypto, yara 등).
- NB Windows 메모리 덤프는 기본적으로 잘 작동합니다.
위의 내용은 Ubuntu(Focal Fossa) 및 Kali-2020.4에서 테스트된 변동성3에 대한 대부분의 문제를 해결해야 합니다.