我正在嘗試使用volatility3來檢查我使用LiME創建的linux映像,我運行以下命令但出現錯誤..(我從volatility存儲庫下載了linux.zip符號文件,並將其放在/volatility/symbols中)
也嘗試使用創建我自己的 json 文件
./dwarf2json linux --system-map /boot/System.map-5.9.0-kali1-amd64 > kali.json
請幫忙。謝謝。
python3 vol.py -vvvvvvv -f /Linux64.mem linux.pslist.PsList 1 ⨯
Volatility 3 Framework 2.0.0
INFO root : Volatility plugins path: ['/home/user/apps/volatility3/volatility/plugins', '/home/user/apps/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/apps/volatility3/volatility/symbols', '/home/user/apps/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/plugins, /home/user/apps/volatility3/volatility/framework/plugins
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/automagic
Level 7 root : Cache directory used: /home/user/.cache/volatility3
INFO volatility.framework.automagic: Detected a linux category plugin
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 6 volatility.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/user/apps/volatility3/volatility/symbols, /home/user/apps/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility.framework.automagic.linux: No suitable linux banner could be matched
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']
答案1
經過大量挖掘後,我設法找到了幫助我解決上述問題的零碎內容。在 Ubuntu 或 Kali 上成功運行 volatility3 的提示:
- 下載正確的核心偵錯符號(sudo apt install linux-image-xxxx-dbg)(通常位於/usr/lib/debug/boot/vmlinux-xxx(elf檔)
- 從 Volatility github 儲存庫下載並使用 dwarf2json
- 使用指令dwarf2json linux --elf vmlinux-xxx --system-map System.map-xxx | 將System.map-xxx (在/usr/lib/debug/boot 中找到)和vmlinux (如上所述)轉換為json文件。 xz -c > 輸出.json.xz
- 將output.json.xz檔案放在volatility3/volatility/symbols、volatility3/volatility/symbols/linux和volatility3/volatility/framework/symbols目錄中
- 執行指令 python3.x vol.py -f /linux.image linux.pslist.PsList (插件)
- 如果不成功嘗試 vol.py --clear-cache
- 考慮使用avml(微軟記憶體擷取二進位文件,適用於linux)來取得記憶體映像
- 最後*確保滿足波動性的所有依賴項(pycrypto、yara 等)
- 注意 Windows 記憶體轉儲開箱即用即可正常運作
以上應該可以解決波動性的大多數問題3,在 Ubuntu (Focal Fossa) 和 Kali-2020.4 上進行了測試