-
Notifications
You must be signed in to change notification settings - Fork 390
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom Linux kernel : Unable to validate the plugin requirements when a custom profile has been created and detected. #1090
Comments
Hi, it looks like you've done everything correctly that i can see, but vol can't work out the intel layer. When you made that memory sample - what tool did you use? Is it only pstree that doesn't work? I'd assume pslist etc also don't work? |
Hi, thanks for your fast response! The dump is made using the qemu monitor command
|
Hello @nathan-out, may I suggest trying the qemu command |
Any luck @nathan-out ? |
Hello I’m currently very busy I will continue my investigation next week sorry for the delay |
No worries at all, just shout if you get any more problems. |
@Abyss-W4tcher I have both kernel.elf made with |
Could you try running with |
Here is the output, volatility was run on
|
Relevant part seems to be :
The symbol type might be missing. Can you please try to generate another ISF, by omitting the System.map file : ./dwarf2json --elf vmlinux > output.json Temporarily move out your existing ISF from the Volatility3 symbols directory, and run Volatility3 with |
Here it is:
|
Ok, this did not solve the issue. The raised error comes from here
The problem might come from the vmlinux not containing the correct things, although |
The kernel creator will answer your question and join the issue. |
Hi ! I am the kernel builder : this kernel is not an ubuntu release, but a linux kernel build in minimal mode, so I deactivated the network. It is why the inet_sock symbol is not present. Is there any way to do without this symbol ? As this symbol is only useful for some functionalities related to the network. |
Hi @aiglematth, you can try patching the Volatility installation here with : self.optional_set_type_class("inet_sock", extensions.inet_sock) See https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/linux/__init__.py#L51 for reference. |
Just a small note - It may be obvious - but without |
I still have the same issue:
Here is the code I patched: self.optional_set_type_class("inet_sock", extensions.inet_sock)
self.optional_set_type_class("vsock_sock", extensions.vsock_sock)
self.optional_set_type_class("packet_sock", extensions.packet_sock)
self.optional_set_type_class("bt_sock", extensions.bt_sock)
self.optional_set_type_class("xdp_sock", extensions.xdp_sock) I also tried to comment all these lines, it's still not working. With @aiglematth we tried to build a vol2 profile, but any plugin seems to works. It seems aiglemath have to build a correct Linux kernel (according to Vol). Or, Vol should parse all the optionnary modules before starting. |
You now have :
Is the correct symbol file still present inside Volatility3 Linux symbols directory ? You can compare |
There is additionnal char at the end of
For
Does the exactly same timestamp is required? |
Yes, the whole string must match exactly, no parsing of the version occurs. |
Those different timestamps indicate you are analyzing a sample from an older kernel. Each time a kernel is compiled, even if the source is the same, small differences might occur in produced debug symbols. You may have created an ISF against a "newer" version of this kernel. If I check your first comment, you should have the correct ISF somewhere though ?
|
Banners and isfinfo fixed manually. Patching with the code above produce this error:
|
This shouldn't crash, as You have the following patch, if I'm not mistaken ? diff --git a/volatility3/framework/symbols/linux/__init__.py b/volatility3/framework/symbols/linux/__init__.py
index c4e2587f..adf855a5 100644
--- a/volatility3/framework/symbols/linux/__init__.py
+++ b/volatility3/framework/symbols/linux/__init__.py
@@ -45,7 +45,7 @@ class LinuxKernelIntermedSymbols(intermed.IntermediateSymbolTable):
self.set_type_class("net", extensions.net)
self.set_type_class("socket", extensions.socket)
self.set_type_class("sock", extensions.sock)
- self.set_type_class("inet_sock", extensions.inet_sock)
+ self.optional_set_type_class("inet_sock", extensions.inet_sock)
self.set_type_class("unix_sock", extensions.unix_sock)
# Might not exist in older kernels or the current symbols
self.optional_set_type_class("netlink_sock", extensions.netlink_sock) edit: from what I can see :
There seems to be something off ? |
I don't know when that patch made it in, but it might be worth updating to the lastest development snapshot rather than 2.5.0? |
This is a custom patch, suiting their need for a sample from a Linux kernel without network capabilities. It should rightfully ignore the missing symbol error, as they will most likely not need it in their analysis. |
@Abyss-W4tcher Ok you were right it works now! I had to fix another line. To fix the issue you have to:
self.set_type_class("inet_sock", extensions.inet_sock)
self.set_type_class("unix_sock", extensions.unix_sock) into these lines: self.optional_set_type_class("inet_sock", extensions.inet_sock)
self.optional_set_type_class("unix_sock", extensions.unix_sock) As future users with the same problem won't read all the messages, I'll summarize the problem. The problem stems from the Volatility assumption that a kernel must have a network module. This was wrong here, as the kernel was really very small. So vol raises an error. To solve this problem, vol needs to be told that the network module is optional. I have several questions regarding this issue. Why this assumption? If it's possible, perhaps Vol should first check the modules built into the kernel and not trigger a fatal error? Thanks all for your help, I really appreciated :D |
Vol3 is not able to use custom symbol file from a custom linux kernel when I try to run
linux.pstree
:Context
Volatility Version: 2.5.0
Operating System: WSL (5.15.133.1-microsoft-standard-WSL2)
Python Version: 3.10
Suspected Operating System: custom Linux kernel v5.0.0 (compiled with debugging symbols)
Command:
python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw linux.pstree
To Reproduce
Steps to reproduce the behavior:
./dwarf2json --elf vmlinux --system-map System.map > output.json
output.json
intovolatility3/symbols/linux/output.json
python3 volatility3-2.5.0/volatility3-2.5.0/vol.py isfinfo
python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw banners
python3 volatility3-2.5.0/volatility3-2.5.0/vol.py -f dump.raw linux.pstree
, then the error described above appears.Expected behavior
Volatility will run as expected.
Example output
Here are some extracts from the
output.json
:The text was updated successfully, but these errors were encountered: