Custom Profile not Recognised

[ezaspy]

Describe the bug
I have created my own symbol table for Ubuntu 18.04 (5.4.0-42-generic) and imported it using the commands listed below but I get the following error in volatility3 (screenshot also attached):

Volatility 3 Framework 1.0.1
Progress:  100.00		Stacking attempts finished                 
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner


A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The necessary symbols are present and identified by volatility3
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']

Context
Volatility Version: Volatility 3 Framework 1.0.1
Operating System: Ubuntu 20.04 (SIFT Workstation)
Python Version: 3.8.5
Suspected Operating System: Ubuntu 18.04
Command: sudo /usr/local/lib/python3.8/dist-packages/volatility3/vol.py -f /Ubuntu18.04.mem linux.pslist.PsList

To Reproduce
Steps to reproduce the behavior:

wget http://ddebs.ubuntu.com/ubuntu/pool/main/l/linux/linux-image-unsigned-5.4.0-42-generic-dbgsym_5.4.0-42.46_amd64.ddeb
sudo dpkg -x linux-image-unsigned-5.4.0-42-generic-dbgsym_5.4.0-42.46_amd64.ddeb /tmp/
sudo ./dwarf2json linux --elf /tmp/usr/lib/debug/boot/vmlinux-5.4.0-42-generic > /usr/local/lib/python3.8/dist-packages/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42-generic.json
sudo /usr/local/lib/python3.8/dist-packages/volatility3/vol.py -f /Ubuntu18.04.mem linux.pslist.PsList
sudo chmod 755 -R /usr/local/lib/python3.8/dist-packages/volatility3/volatility3/symbols/linux/

Expected behavior
I expect volatility3 to be able to read the custom symbol table I have created and as a result read the memory image I have captured

[ikelos]

Hiya, could you please check that the symbol file you made is listed in the output of the isfinfo plugin, and if so and there's a banner there, that the banner matches the output of the banners plugin run against the image? That will help us diagnose why volatility isn't happy with it... 5:)

[ezaspy]

The symbol file I made does not show in the output for isfinfo
I'm guessing that means it is not valid? Based on the instructions above - what have I missed?
FYI this is the banners output for the file:

Offset	Banner

0x10b6001a0	Linux version 5.4.0-42-generic (buildd@lgw01-amd64-023) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 (Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44)
0x10c18dd94	Linux version 5.4.0-42-generic (buildd@lgw01-amd64-023) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 (Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44)
0x10c6c8468	Linux version 5.4.0-42-generic (buildd@lgw01-amd64-023) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 (Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44)
0x12a96655f	Linux version 5.4.0-42-generic (buildd@lgw01-amd64-023) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 (Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44)
0x13fec98d0	Linux version 5.4.0-42-generic (buildd@lgw01-amd64-023) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 (Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44)

[ikelos]

If the symbol file isn't even listed in the output for isfinfo then probably it means the file hasn't ended up in the right place, although it certainly looks like it's in the right place from your commands? It may also be that the JSON file doesn't contain a banner (you can check the JSON to see if there's a constant_data field under the banner symbol, which should be a base64 encoding of the kernel banner). If that isn't there, then volatility might think the file isn't valid and so not bother listing it. You can also clear out your cache (using --clear-cache) and then run volatility with -vvvvv to see if it has any problems with it?

[ezaspy]

The JSON file contains a banner:

      "address": 18446744071595622816,
      "constant_data": "TGludXggdmVyc2lvbiA1LjQuMC00Mi1nZW5lcmljIChidWlsZGRAbGd3MDEtYW1kNjQtMDM4KSAoZ2NjIHZlcnNpb24gOS4zLjAgKFVidW50dSA5LjMuMC0xMHVidW50dTIpKSAjNDYtVWJ1bnR1IFNNUCBGcmkgSnVsIDEwIDAwOjI0OjAyIFVUQyAyMDIwIChVYnVudHUgNS40LjAtNDIuNDYtZ2VuZXJpYyA1LjQuNDQpCgA="
    },
    "linux_proc_banner": {

[ezaspy]

And this is the output from using -vvvv flag:

Volatility 3 Framework 1.0.1
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/lib/python3.8/dist-packages/volatility3/volatility3/plugins', '/usr/local/lib/python3.8/dist-packages/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/usr/local/lib/python3.8/dist-packages/volatility3/volatility3/symbols', '/usr/local/lib/python3.8/dist-packages/volatility3/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.vmlinux
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO     volatility3.framework.automagic: Running automagic: LinuxBannerCache
INFO     volatility3.framework.automagic.symbol_cache: Building linux caches...
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux

Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner


A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The necessary symbols are present and identified by volatility3
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']

[ikelos]

Hmmm, no issues with the linux caches, and the constant_data looks to be present. It's very strange that isfinfo isn't listing it? Could you please try:

1. Put the JSON file in /some/directory/somewhere/linux/file.json (the linux bit is important)
2. Run vol.py -vvvvvv -s /some/directory/somewhere isfinfo 2>&1 > output.txt
3. Attach the output.txt file to this bug.

We need to figure out why it's not got that file listed, and isn't classing it as a file it can't process in the verbose logging. 5:S

[ezaspy]

output.txt

[ikelos]

Hmmmm, so it looks like it was finding the mac.zip file in /home/sansforensics/, which suggests that you could create a linux directory at /home/sansforensics/linux and put the JSON file in there. It clearly found a number of other JSON files, including ones that aren't the right format, which means if it didn't list the JSON file in there, it didn't consider it at all. What surprises me about that is that the earlier output listed where it would read symbols from:

INFO     volatility3.cli: Volatility symbols path: ['/usr/local/lib/python3.8/dist-packages/volatility3/volatility3/symbols', '/usr/local/lib/python3.8/dist-packages/volatility3/volatility3/framework/symbols']

but the isfinfo output was giving a lot more files/directories than just those. I don't know whether sansforensics alters the installation in any way, but it might be worth checking with a copy from git?

[ezaspy]

I don't think sansforensics does alter anything because I have pulled the latest version of vol3 from GitHub already - vol3 does not come preinstalled.

I have tried the same steps as above on a clean Ubuntu 18.04 host and I am still getting errors. Perhaps I have created the profile incorrectly?
Do you have a Ubuntu 18.04 symbol JSON file you could share?

[ikelos]

Then I'm really not sure what's going on? It's clearly crawling all the JSON files it can find (and under a bunch of directories I wouldn't have expected it to)? The output.txt didn't have the logging output (which the 2>&1 should have piped into the same place). It would be interesting to see the first few lines of that, because they specify which directories are searched under the for the JSON file. The code where it walks all the JSON files is here.

The symbol files need to follow the JSON schema specified by their version type in the metadata. I don't have one matching your kernel exactly, but here's an older one that should show you what it should look like. Hopefully you can compare the contents and check that the file is right (my guess is the file just isn't even being looked at for some reasons, but it's not yet clear why)...
ubuntu:5.4.0-26-generic64.zip

[ezaspy]

Thank you - this is the JSON I have created - please let me know of any errors
vmlinux-5.4.0-42-generic.json.zip

[ikelos]

That's very interesting. The schema validator says the contents of the file is fine, but dumping it in the right place and running isfinfo isn't showing it for me either... 5:S I'll have a dig around and see if I can figure out what's up. Thanks for sticking with it! 5:)

[ikelos]

Ok, that was my bad, it wasn't showing up because the file wasn't actually there. 5:P When it's there I get the following:

file:///home/personal/workspace/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42-generic.json	Unknown	18	10088	150900	1724	-	Linux version 5.4.0-42-generic (buildd@lgw01-amd64-038) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 (Ubuntu 5.4.0-42.46-generic 5.4.44)

So it looks like it should be fine, and again, it suggests the symbol path isn't being read correctly, or it doesn't have permission to read that file for some reason?

[ezaspy]

Could you please suggest a solution because I don't know what more information I can provide.
Please see below for my latest attempt:

Verifying permissions

total 236M
drwxr-xr-x 2 sansforensics sansforensics 4.0K Jul  2 09:38 .
drwxr-xr-x 6 sansforensics sansforensics 4.0K Jun 10 17:07 ..
-rwxr-xr-x 1 sansforensics sansforensics 433K May 17 08:19 centos-2.6.18-8.1.15.el5.json.xz
-rwxr-xr-x 1 sansforensics sansforensics 616K May 17 08:19 linux-image-2.6.32-5-amd64-dbg_2.6.32-48squeeze6_amd64.json.xz
-rwxr-xr-x 1 sansforensics sansforensics 759K May 17 08:19 linux-image-3.2.0-4-amd64-dbg_3.2.57-3+deb7u2_amd64.json.xz
-rwxr-xr-x 1 sansforensics sansforensics 1.2M May 17 08:19 linux-image-4.9.0-3-amd64-dbg_4.9.30-2+deb9u2_amd64.json.xz
-rwxr-xr-x 1 sansforensics sansforensics  36M Jul  1 14:34 ubuntu-5.4.0-26-generic-64.json
-rwxr-xr-x 1 sansforensics sansforensics  36M Jul  2 09:21 vmlinux-5.4.0-42_amd64-generic.json
-rwxr-xr-x 1 sansforensics sansforensics  39M Jul  2 09:27 vmlinux-5.4.0-42_arm64-generic.json
-rwxr-xr-x 1 sansforensics sansforensics  35M Jul  2 09:17 vmlinux-5.4.0-42-generic-lpae.json
-rwxr-xr-x 1 sansforensics sansforensics  36M Jul  2 09:40 vmlinux-5.4.0-42-lowlatency.json
-rwxr-xr-x 1 sansforensics sansforensics  30M Jul  2 09:29 vmlinux-5.4.0-42_ppc64-generic.json
-rwxr-xr-x 1 sansforensics sansforensics  23M Jul  2 09:31 vmlinux-5.4.0-42_s390x-generic.json

Result of running isfinfo (removed several lines for sake of brevity)

Volatility 3 Framework 1.0.1
Progress:  100.00		PDB scanning finished  
URI	Valid	Number of base_types	Number of types	Number of symbols	Number of enums	Windows info	Linux banner	Mac banner

file:///usr/lib/python3.8/volatility3/volatility3/symbols/mac/Kernel_Debug_Kit_10.13.6_build_17G7023.dmg.json.xz	Unknown	19	5264	47782	204	-	-	Darwin Kernel Version 17.7.0: Wed Apr 24 21:17:24 PDT 2019; root:xnu-4570.71.45~1/RELEASE_X86_64
file:///usr/lib/python3.8/volatility3/volatility3/symbols/mac/Kernel_Debug_Kit_10.13.6_build_17G6028.dmg.json.xz	Unknown	19	5265	47744	201	-	-	Darwin Kernel Version 17.7.0: Wed Feb 27 00:43:23 PST 2019; root:xnu-4570.71.35~1/RELEASE_X86_64
file:///usr/lib/python3.8/volatility3/volatility3/symbols/mac/Kernel_Debug_Kit_10.15.4_build_19E287.dmg.json.xz	Unknown	19	6174	53897	256	-	-	Darwin Kernel Version 19.4.0: Wed Mar  4 22:28:40 PST 2020; root:xnu-6153.101.6~15/RELEASE_X86_64
file:///usr/lib/python3.8/volatility3/volatility3/symbols/mac/Kernel_Debug_Kit_10.11.6_build_15G19009.dmg.json.xz	Unknown	18	4829	42848	160	-	-	Darwin Kernel Version 15.6.0: Tue Jan  9 20:12:05 PST 2018; root:xnu-3248.73.5~1/RELEASE_X86_64
...
file:///usr/lib/python3.8/volatility3/volatility3/symbols/mac/Kernel_Debug_Kit_10.12.6_build_16G1618.dmg.json.xz	Unknown	18	4844	43730	164	-	-	Darwin Kernel Version 16.7.0: Wed Oct 10 20:06:00 PDT 2018; root:xnu-3789.73.24~1/RELEASE_X86_64
file:///usr/lib/python3.8/volatility3/volatility3/symbols/windows/tcpip.pdb/E86620F7D48143A1BF8F8A5B79009609-2.json.xz	Unknown	0	0	7317	0	-	-	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/AAF33CF37E194E98957768CF9C02DE8E-2.json.xz	Unknown	14	880	18648	114	-	-	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42_amd64-generic.json	Unknown	18	10088	150900	1724	-	Linux version 5.4.0-42-generic (buildd@lgw01-amd64-038) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 (Ubuntu 5.4.0-42.46-generic 5.4.44)
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42-lowlatency.json	Unknown	18	10094	151004	1725	-	Linux version 5.4.0-42-lowlatency (buildd@lgw01-amd64-038) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP PREEMPT Fri Jul 10 01:43:58 UTC 2020 (Ubuntu 5.4.0-42.46-lowlatency 5.4.44)
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42_arm64-generic.json	Unknown	18	10763	155156	1867	-	Linux version 5.4.0-42-generic (buildd@bos02-arm64-077) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 (Ubuntu 5.4.0-42.46-generic 5.4.44)
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/linux-image-2.6.32-5-amd64-dbg_2.6.32-48squeeze6_amd64.json.xz	Unknown	16	3281	53886	388	-	Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) ([email protected]) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42_s390x-generic.json	Unknown	17	7527	91389	1217	-	Linux version 5.4.0-42-generic (buildd@bos02-s390x-003) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP Fri Jul 10 00:21:32 UTC 2020 (Ubuntu 5.4.0-42.46-generic 5.4.44)
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42-generic-lpae.json	Unknown	17	9955	145748	1789	-	Linux version 5.4.0-42-generic-lpae (buildd@bos02-arm64-076) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP Fri Jul 10 02:45:59 UTC 2020 (Ubuntu 5.4.0-42.46-generic-lpae 5.4.44)
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/linux-image-4.9.0-3-amd64-dbg_4.9.30-2%2Bdeb9u2_amd64.json.xz	Unknown	17	6076	98393	923	-	Linux version 4.9.0-3-amd64 ([email protected]) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/centos-2.6.18-8.1.15.el5.json.xz	Unknown	14	2259	38154	73	-	Linux version 2.6.18-8.1.15.el5 ([email protected]) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Mon Oct 22 08:32:04 EDT 2007
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/linux-image-3.2.0-4-amd64-dbg_3.2.57-3%2Bdeb7u2_amd64.json.xz	Unknown	15	4010	65853	553	-	Linux version 3.2.0-4-amd64 ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/vmlinux-5.4.0-42_ppc64-generic.json	Unknown	17	8826	122361	1624	-	Linux version 5.4.0-42-generic (buildd@bos02-ppc64el-002) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP Fri Jul 10 00:22:04 UTC 2020 (Ubuntu 5.4.0-42.46-generic 5.4.44)
	-
file:///usr/lib/python3.8/volatility3/volatility3/symbols/linux/ubuntu-5.4.0-26-generic-64.json	Unknown	18	10084	150372	1723	-	Linux version 5.4.0-26-generic (buildd@lcy01-amd64-029) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 (Ubuntu 5.4.0-26.30-generic 5.4.30)
	-
file:///usr/lib/python3.8/volatility3/volatility3/framework/symbols/windows/callbacks-x86.json	Unknown	6	4	0	0	-	-	-
file:///usr/lib/python3.8/volatility3/volatility3/framework/symbols/windows/crash64.json	Unknown	7	5	0	0	-	-	-

Result of running Plugin

Volatility 3 Framework 1.0.1
INFO     volatility3.cli: Volatility plugins path: ['/usr/lib/python3.8/volatility3/volatility3/plugins', '/usr/lib/python3.8/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/usr/lib/python3.8/volatility3/volatility3/symbols', '/usr/lib/python3.8/volatility3/volatility3/framework/symbols']
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/plugins, /usr/lib/python3.8/volatility3/volatility3/framework/plugins
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/automagic
Level 7  volatility3.cli: Cache directory used: /root/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.vmlinux
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO     volatility3.framework.automagic: Running automagic: LinuxBannerCache
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in /usr/lib/python3.8/volatility3/volatility3/symbols, /usr/lib/python3.8/volatility3/volatility3/framework/symbols
INFO     volatility3.framework.automagic.symbol_cache: Building linux caches...
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: /usr/lib/python3.8/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.primary
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.vmlinux

Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner


A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The necessary symbols are present and identified by volatility3
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']

[ikelos]

Ok, so isfinfo is correctly showing the banners that will be searched for.

This is the banner you originally found using the banners plugin:

Linux version 5.4.0-42-generic (buildd@lgw01-amd64-023) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 (Ubuntu 5.4.0-42.46~18.04.1-generic 5.4.44)

None of the JSON files you have, have matching banners, so volatility will not class them as matched? The closest you've got is the following which suggests (due to the diference in the gcc version) that it was a debug kernel from a different version of ubuntu (and compiled about 7 hours earlier).

Linux version 5.4.0-42-generic (buildd@lgw01-amd64-038) (gcc version 9.3.0 (Ubuntu 9.3.0-10ubuntu2)) #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 (Ubuntu 5.4.0-42.46-generic 5.4.44)

We take a very strict policy on matching kernel versions, because we aim for accuracy. Since every kernel can be compiled with options that may affect the symbols, if we accepted "close" matches we'd potentially have different kernel structures and we'd then be answering bugs about those all the time. Since we'll be answering bugs one way or another, we decided to require an exact match between the banners to provide the highest probability of success and accuracy.

So far, volatility has been behaving exactly as expected. I'm happy to leave this bug open for a little bit, but the only advice I can offer at this point is to find the exact debug kernel for the distribution and version of ubuntu that you're using. The banners and isfinfo plugins should give you enough information to predict whether volatility will successfully match a JSON file against an image or not.

[ezaspy]

I understand the explanation but I am still not convinced volatility3 is working as expected.
I have tried again using a Ubuntu16.04 build

$ uname -rvp
4.15.0-112-generic #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 x86_64

I then searched for the relevant debug symbol here: http://ddebs.ubuntu.com/ubuntu/pool/main/l/linux/ and pulled down linux-image-4.15.0-112-generic-dbgsym_4.15.0-112.113_arm64.ddeb

$ wget http://ddebs.ubuntu.com/ubuntu/pool/main/l/linux/linux-image-unsigned-4.15.0-112-generic-dbgsym_4.15.0-112.113_amd64.ddeb
$ sudo dpkg -x linux-image-unsigned-4.15.0-112-generic-dbgsym_4.15.0-112.113_amd64.ddeb /tmp/

Installed, compiled and ran dwarf2json to create the debug symbol:

Target Host

$ dwarf2json/./dwarf2json linux --elf /tmp/usr/lib/debug/boot/vmlinux-4.15.0-112-generic > vmlinux-4.15.0-112-generic.json
$ ls -lah /usr/local/lib/python3.8/dist-packages/volatility3/volatility3/symbols/linux/
total 30M
drwxr-xr-x 2 root root 4.0K Jul  5 14:25 .
drwxr-xr-x 5 root root 4.0K Jul  5 13:25 ..
-rwxr-xr-x 1 root root  30M Jul  5 14:25 vmlinux-4.15.0-112-generic.json

$ sudo /usr/local/lib/python3.8/dist-packages/volatility3/vol.py --clear-cache -f /mnt/hgfs/Documents/MemoryForensics/4.15.0-112-generic.mem --clear-cache isfinfo
Volatility 3 Framework 1.0.1
Progress:  100.00		PDB scanning finished  
URI	Valid	Number of base_types	Number of types	Number of symbols	Number of enums	Windows info	Linux banner	Mac banner

file:///usr/local/lib/python3.8/dist-packages/volatility3/volatility3/symbols/linux/vmlinux-4.15.0-112-generic.json	Unknown	17	8756	120695	1517	-	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-027) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04)) #113-Ubuntu SMP Thu Jul 9 23:41:39 UTC 2020 (Ubuntu 4.15.0-112.113-generic 4.15.18)
	-
...
file:///usr/local/lib/python3.8/dist-packages/volatility3/volatility3/framework/symbols/linux/bash32.json	Unknown	21	0	0	-	-	-
file:///usr/local/lib/python3.8/dist-packages/volatility3/volatility3/framework/symbols/linux/elf.json	Unknown	7	19	0	2	-	-	-
file:///usr/local/lib/python3.8/dist-packages/volatility3/volatility3/framework/symbols/linux/bash64.json	Unknown	21	0	0	-	-	-

And

$ sudo /usr/local/lib/python3.8/dist-packages/volatility3/vol.py --clear-cache -f /mnt/hgfs/Documents/MemoryForensics/4.15.0-112-generic.mem --clear-cache banners
Volatility 3 Framework 1.0.1
Progress:  100.00		PDB scanning finished     
Offset	Banner

0xfdc8200	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x112a7554	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x3237e594	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x58a5dfd0	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x59c5cc08	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x108200180	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x108d5f4d4	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x121c59c48	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x13f841b88	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)
0x13fec9f50	Linux version 4.15.0-112-generic (buildd@lcy01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)) #113~16.04.1-Ubuntu SMP Fri Jul 10 04:37:08 UTC 2020 (Ubuntu 4.15.0-112.113~16.04.1-generic 4.15.18)

I have rerun the correct commands with the x86_64 symbol table and I still get an error - have reattached the correct symbol table also
vmlinux-4.15.0-112-generic.json.zip

[ikelos]

In this particular instance you pulled down the symbols for the ARM architecture, which will be different to those for x64:

linux-image-4.15.0-112-generic-dbgsym_4.15.0-112.113_*arm64*.ddeb

and the output from banners ((buildd@lcy01-amd64-021)) and isfinfo ((buildd@bos02-arm64-075)) tell you this.

More generally though, the gcc compiler may change between the same version of the package compiled for 16.04 and 18.04 (for example). If banners and isfinfo don't match, volatility 3 won't match them. The fact that there are so many different very similar versions for different versions of the software, different compilers and different versions of the distribution is why we require them to match exactly. If isfinfo and banners don't match, then the chances are that the symbols file you've got was generated against the wrong kernel, and there's not a great deal we can do to help that I'm afraid...

Continuing to leave this open for a few days, but I'll close this off after that unless an actual bug is identified.

[ezaspy]

Updated my previous comment. Please review as I am still getting an error.
I understand your point about it mismatching and that makes sense but why is it mismatching? If I am compiling the JSON file with the same kernel version (based on $ uname -rvp) moments after capturing the image, how can vol3 not recognise it?

[ikelos]

So, there's a whole bunch of version numbers flying around here, the kernel version (4.15.0) the ubuntu package version (112) and then the version of the compiler that was used to compile it (gcc version 5.4.0) as well as the ubuntu version (Ubuntu 5.4.0-6ubuntu1~16.04.12), all of which need to match exactly. uname -rvp tells you more about the processor it's running on, and not necessarily all the version numbers that have to match exactly.

The linux kernel is extremely configurable, and the same version can be configured with support for many different options, some of which alter the structures that the kernel uses. Since we can't guarantee that two kernels of the same kernel version number were compiled with the same configuration options, we require the entire banner string to match. The banner string you need to match is one of the ones found by the banners plugin, and the isfinfo plugin will show you which banners your version of volatility knows about/can match. If isfinfo isn't reporting the exact same banner that you need, then the kernel that you used to produce it isn't the right one, and you'll need to find the right one from the distribution in question. Bear in mind, there may not always be a package containing the kernel with debugging symbols for the operating system you're trying to analyze.

It is mismatching because the kernel with debugging symbols that you're generating the ISF file from is not the same as the running kernel you're trying to analyze. The entire banner has to match and at the moment you haven't produced an ISF file that does so.

There is work being done on a mechanism to allow a file to be compiled on a system to produce most of the common symbols required for volatility, but this presents its own issues (such JSON files won't have all the symbols that the kernel should contain, which means future plugins wouldn't be able to rely on those symbol names). You can read more over at volatilityfoundation/dwarf2json#12.

Please note that volatility is simply a data analysis tool, often used for forensics purposes. For this reason, we've made a conscious decision in volatility 3 to aim for accuracy over simply returning results and letting the user figure out how valid they are. This means that if you don't provide volatility the correct symbol information that it requires, it will fail and any results you get may be questionable. That is not a bug, that's the intended behaviour. In no way is the fact that there isn't a JSON file matching the kernel you're trying to analyze, a bug in volatility.

[ezaspy]

I totally understand that but how can I ensure the exact kernel version I obtain from http://ddebs.ubuntu.com/ubuntu/pool/main/l/linux/ matches the kernel of the system I am analysing?
Yes, I shows me the Kernel version, and the package version but there is nothing on that site indicates the gcc version - so I only find out it doesn't match after I have compiled the JSON file an imported it into volatility3. So do I need to create my own debug symbol (.ddeb) file?

[ikelos]

How distributions distribute their debug kernel versions isn't in our control, but for most systems, you can check which package the package manager would install and where it would download it from. I'd imagine it would be listed under the specific operating system's package list (something like http://ddebs.ubuntu.com/ubuntu/dists/xenial-updates/), but it's also possible that they don't keep all old kernels and you won't be able to get the package. I'm sorry, it's not always possible to get everything easily. I'm going to close this bug now because it's very clearly not a volatility issue. Good luck with your quest to find the symbols, if you need further help I suggest asking on the slack channel...