Issue when analyzing LiME dump from Android 15 AVD.

When running the linux.pslist plugin against a memory dump from a custom Android 15 kernel (Linux version 6.6.30-android15-8), Volatility 3 reports:

> 
> Unsatisfied requirement plugins.PsList.kernel.layer_name:  
> Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:


The plugin cannot load the kernel translation layer or symbol table, even though a kernel symbol file is present.

Volatility Version: 2.27.0
Operating System: Windows 10/11/Ubuntu 24.04.03
Python Version: Python 3.10.0 / newest python
Suspected Operating System: Android 15 custom kernel x86_64
Command:

> 
python vol.py -f "memory.lime" -v linux.pslist


Steps to reproduce the behavior:

    Acquire a memory dump (memory.lime) from an Android Virtual Device x86_64 with custom kernel 6.6.30-android15-8 using adb pull.

    Have the kernel symbols JSON file located at the Volatility symbols directory.

    Run the command to load the process list plugin.

    See error indicating unsatisfied kernel layer and symbol table requirements.

Expected behavior

The plugin should successfully load the kernel layer and symbols, displaying the list of running processes.

Example output


```
C:\Users\me\Desktop\Voltality 3 Develop\volatility3>python vol.py -f "C:\Users\me\Desktop\Voltality 3 Develop\memory.lime" -v linux.pslist
INFO     volatility3.cli: Volatility plugins path: ['C:\\Users\\me\\Desktop\\Voltality 3 Develop\\volatility3\\volatility3\\plugins', 'C:\\Users\\me\\Desktop\\Voltality 3 Develop\\volatility3\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['C:\\Users\\me\\Desktop\\Voltality 3 Develop\\volatility3\\volatility3\\symbols', 'C:\\Users\\me\\Desktop\\Voltality 3 Develop\\volatility3\\volatility3\\framework\\symbols']
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.plugins.yarascan: Neither yara-x nor yara-python (>3.8.0) module was found, plugin (and dependent plugins) not available
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.cachedump, volatility3.plugins.windows.direct_system_calls, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.indirect_system_calls, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.malware.direct_system_calls, volatility3.plugins.windows.malware.indirect_system_calls, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.registry.cachedump, volatility3.plugins.windows.registry.hashdump, volatility3.plugins.windows.registry.lsadump, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
Volatility 3 Framework 2.27.0
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
INFO     volatility3.framework.automagic: Running automagic: KernelModule

Unsatisfied requirement plugins.PsList.kernel.layer_name:
Unsatisfied requirement plugins.PsList.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']

```


Additional information

    Memory dump obtained via adb pull from Android emulator with virtual device x86_64 and custom Android 15 kernel.

    Kernel symbols manually generated or extracted from build system and placed in Volatility’s symbols directory.

    Banner mismatch or incomplete symbol support for this custom kernel may be causing the issue.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Issue when analyzing LiME dump from Android 15 AVD. #1919

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue when analyzing LiME dump from Android 15 AVD. #1919

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions