我正在尝试使用 volatility3 来检查我使用 LiME 创建的 linux 映像,我运行以下命令但出现错误......(我从 volatility repo 下载了 linux.zip 符号文件并将其放在 /volatility/symbols 中)
还尝试使用创建我自己的 json 文件
./dwarf2json linux --system-map /boot/System.map-5.9.0-kali1-amd64 > kali.json
请帮忙。谢谢。
python3 vol.py -vvvvvvv -f /Linux64.mem linux.pslist.PsList 1 ⨯
Volatility 3 Framework 2.0.0
INFO root : Volatility plugins path: ['/home/user/apps/volatility3/volatility/plugins', '/home/user/apps/volatility3/volatility/framework/plugins']
INFO root : Volatility symbols path: ['/home/user/apps/volatility3/volatility/symbols', '/home/user/apps/volatility3/volatility/framework/symbols']
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/plugins, /home/user/apps/volatility3/volatility/framework/plugins
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/automagic
Level 7 root : Cache directory used: /home/user/.cache/volatility3
INFO volatility.framework.automagic: Detected a linux category plugin
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
INFO volatility.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 6 volatility.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility.framework.symbols.intermed: Searching for symbols in /home/user/apps/volatility3/volatility/symbols, /home/user/apps/volatility3/volatility/framework/symbols
INFO volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO volatility.framework.automagic: Running automagic: LayerStacker
Level 6 volatility.framework: Importing from the following paths: /home/user/apps/volatility3/volatility/framework/layers
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility.framework.automagic.linux: No suitable linux banner could be matched
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9 volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9 volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9 volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols
A symbol table requirement was not fulfilled. Please verify that:
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']
答案1
经过大量挖掘,我设法找到了一些能帮助我解决上述问题的点点滴滴。在 Ubuntu 或 Kali 上成功运行 volatility3 的提示:
- 下载正确的内核调试符号(sudo apt install linux-image-xxxx-dbg)(通常位于 /usr/lib/debug/boot/vmlinux-xxx(elf 文件)
- 从 Volatility github 存储库下载并使用 dwarf2json
- 使用命令 dwarf2json linux --elf vmlinux-xxx --system-map System.map-xxx | xz -c > output.json.xz 将 System.map-xxx(位于 /usr/lib/debug/boot)和 vmlinux(如上所述)转换为 json 文件
- 将 output.json.xz 文件放在 volatility3/volatility/symbols、volatility3/volatility/symbols/linux 和 volatility3/volatility/framework/symbols 目录中
- 运行命令 python3.x vol.py -f /linux.image linux.pslist.PsList (插件)
- 如果不成功,请尝试 vol.py --clear-cache
- 考虑使用 avml(微软内存捕获二进制文件,适用于 Linux)来获取内存映像
- 最后*确保满足波动性的所有依赖关系(pycrypto、yara 等)
- 注意:Windows 内存转储开箱即用
以上方法应该可以解决 volatility3 的大多数问题,已在 Ubuntu (Focal Fossa) 和 Kali-2020.4 上进行了测试