Oracle Linux 9 cannot be read

[fabianfrz]

Describe the bug
A clear and concise description of what the bug is.

Context
Volatility Version: volatility3-2.26.2
Operating System: 24.04.3 LTS (Noble Numbat)
Python Version: Python 3.12.3
Suspected Operating System: Oracle Linux 9 (not detected)
Command:

To Reproduce
Steps to reproduce the behavior:

1. Use command '...'

./vol.py -vvvv -f test_freeipa.dump linux.boottime

3. See error

Expected behavior
A clear and concise description of what you expected to happen.

it should execute the plugin and return the output

Example output

INFO     volatility3.cli: Volatility plugins path: ['/path/to/volatility3-2.26.2/volatility3/plugins', '/path/to/volatility3-2.26.2/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/path/to/volatility3-2.26.2/volatility3/symbols', '/path/to/volatility3-2.26.2/volatility3/framework/symbols']
DEBUG    volatility3.plugins.yarascan: Using yara-python module
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Boottime.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Boottime.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Boottime.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Boottime.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Boottime
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelVMCOREINFOStacker
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) (jmm@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.18-8.1.15.el5 (mockbuild@builder6.centos.org) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Mon Oct 22 08:32:28 EDT 2007\n': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 4.9.0-3-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_4.9.30-2%2Bdeb9u2_4.9.0-3-amd64_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_4.9.30-2+deb9u2_4.9.0-3-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_3.2.57-3%2Bdeb7u2_3.2.0-4-amd64_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_3.2.57-3+deb7u2_3.2.0-4-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) (jmm@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.18-8.1.15.el5 (mockbuild@builder6.centos.org) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Mon Oct 22 08:32:28 EDT 2007\n': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 4.9.0-3-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_4.9.30-2%2Bdeb9u2_4.9.0-3-amd64_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_4.9.30-2+deb9u2_4.9.0-3-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_3.2.57-3%2Bdeb7u2_3.2.0-4-amd64_x64.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_3.2.57-3+deb7u2_3.2.0-4-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 2146937919
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder  
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Boottime.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Boottime.kernel.symbol_table_name

Unsatisfied requirement plugins.Boottime.kernel.layer_name: 
Unsatisfied requirement plugins.Boottime.kernel.symbol_table_name: 

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Boottime.kernel.layer_name', 'plugins.Boottime.kernel.symbol_table_name']

Text is preferred to screenshots for searching and to talk about specific parts of the output.

Additional information

• the memory dump is acquired using LiME (patched it to compile for Oracle Linux 9 - the patch has been upstreamed already).
• the dump exists in raw and in lime format (uncompressed) - both do not work with volatility3 as it seems however LiME should be correct as AVML uses LiME format according to this
• the dump was aquired from the standard kernel, the json is created from the debug kernel

[fabianfrz]

Oracle Linux 9 generated with dwarf2json according to your documentation:

OL9.zip

[Abyss-W4tcher]

Hello, can you provide the output of the banners plugin please?

[fabianfrz]

sure - this memory dump is in lime format :

(venv) fabian@fabian:~/volatility3-2.26.2$ ./vol.py -vvvv -f test_freeipa.dump banner
Volatility 3 Framework 2.26.2
INFO     volatility3.cli: Volatility plugins path: ['/path/to/volatility3-2.26.2/volatility3/plugins', '/path/to/volatility3-2.26.2/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/path/to/volatility3-2.26.2/volatility3/symbols', '/path/to/volatility3-2.26.2/volatility3/framework/symbols']
DEBUG    volatility3.plugins.yarascan: Using yara-python module
INFO     volatility3.framework.automagic: No plugin category detected
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Banners.primary
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Banners
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelVMCOREINFOStacker
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.12.0-104.43.4.2.el9uek.x86_64.debug (mockbuild@host-100-100-224-71) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Wed Oct  8 11:57:49 PDT 2025\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.zip!OL9.json and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.json
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.12.0-104.43.4.2.el9uek.x86_64.debug (mockbuild@host-100-100-224-71) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Wed Oct  8 11:57:49 PDT 2025\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.zip!OL9.json
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_3.2.57-3+deb7u2_3.2.0-4-amd64_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_3.2.57-3%2Bdeb7u2_3.2.0-4-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) (jmm@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 4.9.0-3-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_4.9.30-2+deb9u2_4.9.0-3-amd64_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_4.9.30-2%2Bdeb9u2_4.9.0-3-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.18-8.1.15.el5 (mockbuild@builder6.centos.org) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Mon Oct 22 08:32:28 EDT 2007\n': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using MacIntelStacker
INFO     volatility3.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.12.0-104.43.4.2.el9uek.x86_64.debug (mockbuild@host-100-100-224-71) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Wed Oct  8 11:57:49 PDT 2025\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.zip!OL9.json and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.json
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.12.0-104.43.4.2.el9uek.x86_64.debug (mockbuild@host-100-100-224-71) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Wed Oct  8 11:57:49 PDT 2025\n\x00': file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.json.xz and jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux/OL9.zip!OL9.json
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 3.2.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_3.2.57-3+deb7u2_3.2.0-4-amd64_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_3.2.57-3%2Bdeb7u2_3.2.0-4-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.32-5-amd64 (Debian 2.6.32-48squeeze6) (jmm@debian.org) (gcc version 4.3.5 (Debian 4.3.5-4) ) #1 SMP Tue May 13 16:34:35 UTC 2014\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_2.6.32-48squeeze6_2.6.32-5-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 4.9.0-3-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)\n\x00': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Debian_4.9.30-2+deb9u2_4.9.0-3-amd64_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Debian_4.9.30-2%2Bdeb9u2_4.9.0-3-amd64_x64.json.xz
DEBUG    volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 2.6.18-8.1.15.el5 (mockbuild@builder6.centos.org) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-52)) #1 SMP Mon Oct 22 08:32:28 EDT 2007\n': jar:file:/path/to/volatility3-2.26.2/volatility3/symbols/linux.zip!linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz and file:///path/to/volatility3-2.26.2/volatility3/symbols/linux/Centos_2.6.18-8.1.15.el5_2.6.18-8.1.15.el5_x64.json.xz
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DEBUG    volatility3.framework.interfaces.layers: Scan Failure: unpack requires a buffer of 8 bytes
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Banners.primary.base_layer
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 2146937919
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers 
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder  
INFO     volatility3.framework.automagic: Running automagic: MacSymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule
DEBUG    volatility3.cli: Successfully constructed banners.Banners (0, 0, 0)

Offset  Banner

0x67a00760      Linux version 6.12.0-104.43.4.3.el9uek.x86_64 (mockbuild@host-100-100-224-107) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) # SMP PREEMPT_DYNAMIC
0x67c73900      Linux version 6.12.0-104.43.4.3.el9uek.x86_64 (mockbuild@host-100-100-224-107) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Thu Oct 23 17:08:37 PDT 2025
0x69a8ee60      Linux version 6.12.0-104.43.4.3.el9uek.x86_64 (mockbuild@host-100-100-224-107) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Thu Oct 23 17:08:37 PDT 202525
0x7c800760      Linux version 6.12.0-1.23.3.2.el9uek.x86_64 (mockbuild@host-100-100-224-71) (gcc (GCC) 14.2.1 20240801 (Red Hat 14.2.1-1), GNU ld version 2.41-3.el9) # SMP PREEMPT_DYNAMIC
0x7ca71d00      Linux version 6.12.0-1.23.3.2.el9uek.x86_64 (mockbuild@host-100-100-224-71) (gcc (GCC) 14.2.1 20240801 (Red Hat 14.2.1-1), GNU ld version 2.41-3.el9) #1 SMP PREEMPT_DYNAMIC Tue May 13 17:24:00 PDT 2025

the dump in raw format returns a shorter list:

Offset  Banner

0x5e39f360      Linux version 6.12.0-104.43.4.3.el9uek.x86_64 (mockbuild@host-100-100-224-107) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) # SMP PREEMPT_DYNAMIC
0x5e612500      Linux version 6.12.0-104.43.4.3.el9uek.x86_64 (mockbuild@host-100-100-224-107) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Thu Oct 23 17:08:37 PDT 2025
0x6042da60      Linux version 6.12.0-104.43.4.3.el9uek.x86_64 (mockbuild@host-100-100-224-107) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Thu Oct 23 17:08:37 PDT 202525

[Abyss-W4tcher]

Thanks, it looks like the ISF's banner does not match the ones from your sample:

Linux version 6.12.0-104.43.4.2.el9uek.x86_64.debug (mockbuild@host-100-100-224-71) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-8), GNU ld version 2.41-4.el9_6.1) #1 SMP PREEMPT_DYNAMIC Wed Oct 8 11:57:49 PDT 2025

You actually generated an ISF for the ".debug" flavored kernel.

[fabianfrz]

The documentation says that I should use the debug version of it to create the symbol table:

https://volatility3.readthedocs.io/en/latest/symbol-tables.html#mac-or-linux-symbol-tables

The problem is, that the default kernel is a stripped ELF file, which dwarf2json fails to read.

As you can see on the images, there are some System map files available, which can be fed into dwarf2json as well but it is also not working

OL9_system_map.zip

Does this mean, that a standard kernel can never be analyzed with volatility so machines that are potentially memory dumped always have to run on a debug kernel?

[Abyss-W4tcher]

The ".debug" is only a oracle-specific kernel flavor, you should still find a vmlinux for the non ".debug" flavor.

[Abyss-W4tcher]

You should look for "debuginfo" packages

[fabianfrz]

@Abyss-W4tcher that was it. I got it now working

If it is needed for documentation:

Install the repository and the kernel debuginfo according to this page:
https://docs.oracle.com/en/operating-systems/oracle-linux/9/drgn/installing_debuginfo_packages.html

The situation is simmilar to RHEL: https://access.redhat.com/solutions/9907

then the elf can be aquired from the machine using

scp root@vm:/usr/lib/debug/lib/modules/6.12.0-104.43.4.3.el9uek.x86_64/vmlinux vmlinux-6.12.0-104.43.4.3.el9uek.x86_64
dwarf2json/dwarf2json linux --elf vmlinux-6.12.0-104.43.4.3.el9uek.x86_64 > OracleLinux9-6.12.0-104.43.4.3.el9uek.x86_64.json

Maybe it would be good, to add that to the volatility documentation on how to acquire the custom symbol map.

https://volatility3.readthedocs.io/en/latest/symbol-tables.html#mac-linux-symbol-tables

I will also append the file for the standard kernel here.

OL9_test.zip

@Abyss-W4tcher thanks for clarification of this.