└─# vol -f sample.mem linux.pstree.PsTree
Volatility 3 Framework 2.11.0
Progress: 100.00 Stacking attempts finished
Unsatisfied requirement plugins.PsTree.kernel.layer_name:
Unsatisfied requirement plugins.PsTree.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.PsTree.kernel.layer_name', 'plugins.PsTree.kernel.symbol_table_name']
vol3分析Linux内存通常都会遇到上面的报错,就是缺少对应的系统符号表。但网上介绍Volatility3的文章大部分都是都把工具的命令行翻译成中文,当真的去实操vol分析内存时会发现有太多的坑,因为分析内存是需要当前系统的符号表。
vol3自带的Linux符号表非常少,而Linux的kernel版本又非常众多,大多数情况都需要在对应的机器上手动导出符号表才能开始分析内存。
阅读更多