Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When scanning linux lime memory file, use the config file created by --save-config, can not skip the scan LimeLayer step. Is this normal behavior? #1119

Open
typeryougishiki opened this issue Mar 25, 2024 · 4 comments
Open

When scanning linux lime memory file, use the config file created by --save-config, can not skip the scan LimeLayer step. Is this normal behavior? #1119

typeryougishiki opened this issue Mar 25, 2024 · 4 comments

Comments

@typeryougishiki
Copy link

typeryougishiki commented Mar 25, 2024
edited

When scanning a 24G windows lime memeory file,I can use --save-config option to create config file . The next time I scan this memory file, I can use the -c option set saved config to skip the Scanning memory_layer step.

But when scanning a 16G Linux lime memory file, I followed the same steps and could not skip the Scanning LimeLayer step.

Save config command:
python C:\Users\typer\work\volatility3-develop\vol.py -vvvv --save-config C:\Users\typer\temp\66.conf -f D:\66.raw linux.iomem

-c set config file command:
python C:\Users\typer\work\volatility3-develop\vol.py -vvvv -c C:\Users\typer\temp\66.conf -f D:\66.raw linux.iomem

output before start Scanning LimeLayer:

Volatility 3 Framework 2.7.0
INFO     volatility3.cli: Volatility plugins path: ['C:\\Users\\typer\\work\\volatility3-develop\\volatility3\\plugins', 'C:\\Users\\typer\\work\\volatility3-develop\\volatility3\\framework\\plugins']
INFO     volatility3.cli: Volatility symbols path: ['C:\\Users\\typer\\work\\volatility3-develop\\volatility3\\symbols', 'C:\\Users\\typer\\work\\volatility3-develop\\volatility3\\framework\\symbols']
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\yarascan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\linux\vmayarascan.py", line 10, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.linux.vmayarascan based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\linux\vmayarascan.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\cachedump.py", line 8, in <module>
    from Crypto.Cipher import ARC4, AES
ModuleNotFoundError: No module named 'Crypto'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\cachedump.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\hashdump.py", line 10, in <module>
    from Crypto.Cipher import AES, ARC4, DES
ModuleNotFoundError: No module named 'Crypto'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\hashdump.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\iat.py", line 4, in <module>
    import logging, io, pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.iat based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\iat.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\lsadump.py", line 8, in <module>
    from Crypto.Cipher import ARC4, DES, AES
ModuleNotFoundError: No module named 'Crypto'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\lsadump.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\mftscan.py", line 13, in <module>
    from volatility3.plugins import timeliner, yarascan
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\mftscan.py
INFO     volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\netscan.py", line 17, in <module>
    from volatility3.plugins.windows import info, poolscanner, verinfo
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\verinfo.py", line 21, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.netscan based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\netscan.py
INFO     volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\netstat.py", line 15, in <module>
    from volatility3.plugins.windows import netscan, modules, info, verinfo
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\netscan.py", line 17, in <module>
    from volatility3.plugins.windows import info, poolscanner, verinfo
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\verinfo.py", line 21, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.netstat based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\netstat.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\skeleton_key_check.py", line 18, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.skeleton_key_check based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\skeleton_key_check.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\svcscan.py", line 23, in <module>
    from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\svcscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\yarascan.py", line 17, in <module>
    import yara
ModuleNotFoundError: No module named 'yara'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\vadyarascan.py
INFO     volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "C:\Users\typer\miniconda3\lib\importlib\__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\verinfo.py", line 21, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.verinfo based on file: C:\Users\typer\work\volatility3-develop\volatility3\framework\plugins\windows\verinfo.py
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.iat, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.netscan, volatility3.plugins.windows.netstat, volatility3.plugins.windows.skeleton_key_check, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.windows.verinfo, volatility3.plugins.yarascan
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.IOMem.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.IOMem.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.IOMem.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.IOMem.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.IOMem.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.IOMem.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.IOMem.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.IOMem.kernel.layer_name.memory_layer.base_layer
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.IOMem.kernel.symbol_table_name
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.IOMem
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
Progress:   45.86               Scanning LimeLayer using MultiStringScanner

Is this the normal behavior of volatility3? Or did I do something wrong?
@ikelos
Copy link
Member

ikelos commented Apr 9, 2024

Unfortunately it depends on the requirements of the plugin (whether it has a ModuleRequirement or just a TranslationLayerRequirement and a SymbolTableRequiement and what plugin you used to generated the saved config. If it was the same plugin then the same config should have worked appropriately. Please could you attach the config file you used so we can check if there's anything unusual in there?

The config supplements volatility's automagic, so that if the additional information doesn't help, it'll fall back to doing the scans itself. As far as I was aware, this had all been working, but it's possible a recent change broke this or there's some other reason why it can't skip past the scan...

@typeryougishiki
Copy link
Author

When I use linux.iomem to analyze 66.local.lime, the content of the generated config file is as follows:
{ "kernel.layer_name.class": "volatility3.framework.layers.intel.Intel32e", "kernel.layer_name.kernel_banner": "Linux version 3.10.0-1160.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Mon Oct 19 16:18:59 UTC 2020\n\u0000", "kernel.layer_name.kernel_virtual_offset": 763363328, "kernel.layer_name.memory_layer.base_layer.class": "volatility3.framework.layers.physical.FileLayer", "kernel.layer_name.memory_layer.base_layer.location": "file:///D:/66.local.lime", "kernel.layer_name.memory_layer.class": "volatility3.framework.layers.lime.LimeLayer", "kernel.layer_name.page_map_offset": 9663741952, "kernel.offset": 763363328, "kernel.symbol_table_name.class": "volatility3.framework.symbols.linux.LinuxKernelIntermedSymbols", "kernel.symbol_table_name.isf_url": "file:///C:/Users/typer/work/volatility3-2.5.2/volatility3/symbols/linux/kernel-3.10.0-1160.el7.x86_64.json", "kernel.symbol_table_name.symbol_mask": 281474976710655 }
@ikelos

@typeryougishiki
Copy link
Author

@ikelos Are you still following this issue?

@ikelos
Copy link
Member

ikelos commented May 8, 2024

Sorry, I haven't had much time to devote to volatility recently, but I am still following it yes. That configuration is using the ModuleRequirement so should be picking everything up and rebuilding it properly. I'll check the LinuxIntelStacker to make sure it's trying to get the value from the config rather than scanning it all the time. It may take me a little while I'm afraid. Do feel free to keep prodding here if it takes me too long though....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikelos @typeryougishiki