Unsatisfied requirement plugins.Lsof.kernel: Linux kernel

Describe the bug
A clear and concise description of what the bug is.

Context
Volatility Version: Volatility 3 Framework 2.0.0
Operating System: CentOS 8
Linux localhost.localdomain 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Python Version:
Python 3.6.8 (default, Mar 19 2021, 05:13:41)
[GCC 8.4.1 20200928 (Red Hat 8.4.1-1)] on linux
Suspected Operating System: CentOS 8
Linux localhost.localdomain 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Command:
python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof
To Reproduce
Steps to reproduce the behavior:

1. Use command 'python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof '
2. See error
   Unsatisfied requirement plugins.Lsof.kernel: Linux kernel
   Unable to validate the plugin requirements: ['plugins.Lsof.kernel']
   Expected behavior
   A clear and concise description of what you expected to happen.
   According to the requirements of the symbol table.
   Screenshots
   [root@localhost volatility3]# python3 vol.py -vvvvvvvv -f CentOS8.vmem linux.lsof.Lsof
   Volatility 3 Framework 2.0.0
   INFO volatility3.cli: Volatility plugins path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins']
   INFO volatility3.cli: Volatility symbols path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols']
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins
   INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
   DEBUG volatility3.framework: No module named 'yara'
   DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/yarascan.py
   DEBUG volatility3.framework: No module named 'Crypto'
   DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/cachedump.py
   INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
   DEBUG volatility3.framework: No module named 'yara'
   DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/callbacks.py
   DEBUG volatility3.framework: No module named 'Crypto'
   DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/hashdump.py
   DEBUG volatility3.framework: No module named 'Crypto'
   DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/lsadump.py
   INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
   DEBUG volatility3.framework: No module named 'yara'
   DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/svcscan.py
   INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
   DEBUG volatility3.framework: No module named 'yara'
   DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
   INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/automagic
   Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3
   INFO volatility3.framework.automagic: Detected a linux category plugin
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.layer_name
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
   Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.symbol_table_name
   Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
   Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
   Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
   INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache
   Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols
   INFO volatility3.framework.automagic.symbol_cache: Building linux caches...
   Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
   INFO volatility3.framework.automagic: Running automagic: LayerStacker
   Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
   Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
   Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
   Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
   Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
   Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
   Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
   Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
   Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)
   Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
   DEBUG volatility3.framework.automagic.linux: No suitable linux banner could be matched
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
   Level 9 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
   DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
   INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
   Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
   INFO volatility3.framework.automagic: Running automagic: KernelModule
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
   Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel

Unsatisfied requirement plugins.Lsof.kernel: Linux kernel
Unable to validate the plugin requirements: ['plugins.Lsof.kernel']

Additional information
Add any other information about the problem here.

[ikelos]

Hi, did you create the appropriate symbol file for the version of Centos 8 you're trying to analyse? Volatility 3 doesn't yet have a library of linux symbol tables, so without creating that you won't be able to work with the memory image. There's a tool for creating them from a debug kernel using the tool dwarf2json. Please see this documentation for more information. You can see which symbol tables volatility 3 can see using the isfinfo plugins, and you can check what banners are present in the image using the banners plugin...

Yes, thank you. I create the appropriate symbol file for the version of Centos 8. But there are new problems.
[root@localhost volatility3]# python3 vol.py -vvvvvv -f CentOS8.vmem linux.pslist.PsList
Volatility 3 Framework 2.0.0
INFO volatility3.cli: Volatility plugins path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols', '/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols']
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/plugins, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/yarascan.py
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/cachedump.py
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/callbacks.py
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/hashdump.py
DEBUG volatility3.framework: No module named 'Crypto'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/lsadump.py
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/svcscan.py
INFO volatility3.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG volatility3.framework: No module named 'yara'
DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/automagic
Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3
INFO volatility3.framework.automagic: Detected a linux category plugin
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols, /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 4.18.0-305.3.1.el8.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.4.1 20200928 (Red Hat 8.4.1-1) (GCC)) #1 SMP Tue Jun 1 16:14:33 UTC 2021\n\x00'
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ring_buffer
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_pstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_stats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!wireless_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!switchdev_ops
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 1b400000 virtual 35c00000
DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x1da10000
Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 4.18.0-305.3.1.el8.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 8.4.1 20200928 (Red Hat 8.4.1-1) (GCC)) #1 SMP Tue Jun 1 16:14:33 UTC 2021\n\x00'
DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: jar:file:/home/find/Downloads/dwarf2json-master/volatility3/volatility3/symbols/linux.zip!linux/CentOS8.4.18.0-305.3.1.el8.x86_64.json.xz
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel

PID PPID COMM
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ring_buffer
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_pstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_stats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wireless_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!switchdev_ops
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control

DEBUG volatility3.cli: Traceback (most recent call last):
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/cli/init.py", line 333, in run
renderersargs.renderer.render(constructed.run())
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/cli/text_renderer.py", line 178, in render
grid.populate(visitor, outfd)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/renderers/init.py", line 211, in populate
for (level, item) in self._generator:
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/plugins/linux/pslist.py", line 55, in _generator
pid = task.pid
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 760, in getattr
member = template(context = self._context, object_info = object_info)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/templates.py", line 72, in call
return self.vol.object_class(context = context, object_info = object_info, **arguments)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 121, in new
value = cls._unmarshall(context, data_format, object_info)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/objects/init.py", line 143, in _unmarshall
data = context.layers.read(object_info.layer_name, object_info.offset, data_format.length)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read
return self[layer].read(offset, length, pad)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/linear.py", line 37, in read
for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 200, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(offset, length, ignore_errors):
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 244, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 105, in _translate
entry, position = self._translate_entry(offset)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 149, in _translate_entry
table = self._get_valid_table(base_address)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/intel.py", line 170, in _get_valid_table
table = self._context.layers.read(self._base_layer, base_address, self.page_size)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/interfaces/layers.py", line 553, in read
return self[layer].read(offset, length, pad)
File "/home/find/Downloads/dwarf2json-master/volatility3/volatility3/framework/layers/physical.py", line 144, in read
"Offset outside of the buffer boundaries")
volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries

Volatility was unable to read a requested page:
0x13b3bf000 in layer memory_layer (Offset outside of the buffer boundaries)

* The base memory file being incomplete (try re-acquiring if possible)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced

I think "symbol file" is still incorrect. But I don't know what went wrong.

[ikelos]

Thanks, it looks like the symbols are present now and it's detecting the right version of linux and using that JSON file, but the intel memory map seems to be pointing to somewhere outside of the bounds of the physical memory image. Unfortunately this suggests either:

• an issue with the memory image itself, which is unusual but can happen
• that the JSON file has symbols which point to the wrong locations and so is throwing off volatility's ability to determine where certain structures are in memory
• that it's misdetected the location of the kernel and/or one of the ASLR shifts required to make them all match up.

Unfortunately, it's not clear how to figure out which of those issues is the problem. Might be one for @atcuno to help diagnose?

Volatility was unable to read a requested page:
0x13b3bf000 in layer memory_layer (Offset outside of the buffer boundaries)

I used the same method for centos7 and found the following error

Level 8 volatility3.framework.automagic.symbol_cache: Caching file jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/centos7.3.10.json.xz failed due to JSON error
Level 8 volatility3.framework.automagic.symbol_cache: Caching file jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/centos7-3.10.json.xz failed due to JSON error
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x4c694d45 at file offset 0x0

[ikelos]

Thanks, would you be able to attach either of centos7.3.10.json.xz or centos7-3.10.json.xz so we can take a look at what's going on. That looks like a separate issue, rather than something related this one...

I found that I didn't have enough memory, so I didn't complete "Symbols". But there are still problems with centos7.
(base) [root@localhost volatility3]# python vol.py -vvvvvv -f CentOS7-1160.vmem linux.pslist.PsList
Volatility 3 Framework 2.0.0
INFO volatility3.cli: Volatility plugins path: ['/root/dwarf2json/volatility3/volatility3/plugins', '/root/dwarf2json/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/root/dwarf2json/volatility3/volatility3/symbols', '/root/dwarf2json/volatility3/volatility3/framework/symbols']
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/plugins, /root/dwarf2json/volatility3/volatility3/framework/plugins
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/automagic
Level 7 volatility3.cli: Cache directory used: /root/.cache/volatility3
INFO volatility3.framework.automagic: Detected a linux category plugin
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO volatility3.framework.automagic: Running automagic: LinuxBannerCache
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /root/dwarf2json/volatility3/volatility3/symbols, /root/dwarf2json/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic.symbol_cache: Building linux caches...
Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, LeechCoreHandler
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 3.10.0-1160.31.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Thu Jun 10 13:32:12 UTC 2021\n\x00'
DEBUG volatility3.schemas: Validating JSON against schema...
DEBUG volatility3.schemas: JSON validated against schema (result cached)
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!slab
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!css_id
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sock_fprog_kern
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_ct_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_exp_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nft_af_info
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dn_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!forwarding_accel_ops
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!wpan_dev
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sysfs_dirent
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dn_route
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ip_vs_sync_buff
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tcp_states_t
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_tstats
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!res_counter
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nfs4_lock_state
DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!nlm_lockowner
DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 4777f000 virtual 0
DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x4938f000
Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6 volatility3.framework: Importing from the following paths: /root/dwarf2json/volatility3/volatility3/framework/layers
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 3.10.0-1160.31.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Thu Jun 10 13:32:12 UTC 2021\n\x00'
DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: jar:file:/root/dwarf2json/volatility3/volatility3/symbols/linux.zip!linux/Centos7.1061.json.xz
INFO volatility3.framework.automagic: Running automagic: KernelModule
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel

PID PPID COMM
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!slab
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!css_id
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sock_fprog_kern
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_ct_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_exp_event_notifier
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nft_af_info
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dn_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!forwarding_accel_ops
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wpan_dev
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sysfs_dirent
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dn_route
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ip_vs_sync_buff
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tcp_states_t
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_tstats
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!res_counter
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nfs4_lock_state
DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nlm_lockowner

Symbols.zip

[ikelos]

Well, it's correctly identifying the symbols, so it could be that the ASLR shift is coming out wrong, but again, I think this is into territory best covered by @atcuno at this point...

[atcuno]

@ninja2017 can you share the memory samples from this issue? Also, I see that you have a .vmem extension. Is this from a VMware snapshot or suspended state? If so, is the accompanying .vmss file in the directory?

[ikelos]

@atcuno We now log whether a VMSS/VMSN was present, neither was there with this image:

Level 6 volatility3.framework.layers.vmware: Metadata found: VMSS (False) or VMSN (False)