Volatility3 symbols

19/07/24

Repository is in standby, waiting for a fix regarding an issue in the ISF generator tool : volatilityfoundation/dwarf2json#63

Related work

A similar project for Volatility2 profiles is available here : https://github.com/Abyss-W4tcher/volatility2-profiles

EZ Volatility install script : https://github.com/Abyss-W4tcher/volatility-scripts/tree/master/vol_ez_install

Format

Distribution	Path	Symbols	Example
Ubuntu	Ubuntu/<architecture>/<base-kernel-version>/<ABI>/<kernel-flavour>/	Ubuntu_<kernel-version>_<package-revision>_<architecture>.json.xz	Ubuntu/amd64/4.4.0/22/generic/Ubuntu_4.4.0-22-generic_4.4.0-22.40~14.04.1_amd64.json.xz
Debian	Debian/<architecture>/<base-kernel-version>/<ABI>/<kernel-flavour>/	Debian_<kernel-version>_<package-revision>_<architecture>.json.xz	Debian/amd64/3.1.0/1/Debian_3.1.0-1-amd64_3.1.1-1_amd64.json.xz
KaliLinux	KaliLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/	KaliLinux_<kernel-version>_<package-revision>_<architecture>.json.xz	KaliLinux/amd64/5.2.0/KaliLinux_5.2.0-kali2-amd64_5.2.9-2kali1_amd64.json.xz
AlmaLinux	AlmaLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/	AlmaLinux_<kernel-version>_<architecture>.json.xz	AlmaLinux/x86_64/4.18.0/AlmaLinux_4.18.0-477.13.1.el8_8_x86_64.json.xz
RockyLinux	RockyLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/	RockyLinux_<kernel-version>_<architecture>.json.xz	RockyLinux/x86_64/4.18.0/RockyLinux_4.18.0-477.10.1.el8_8_x86_64.json.xz
macOS	macOS/<version-prefixed>/	macOS_KDK_<macOS-version>_build-<build>_<arch-if-mach-kernel>.json.xz	macOS/14.0/macOS_KDK_14.0_build-23A5257q.json.xz

Usage

Place every compressed symbol file you plan to use inside your [volatility3_installation]/volatility3/symbols/linux/ directory (create it if needed).

Explore the "banners/banners_plain.json" file to match banners and symbols quickly.

FAQ

Some distributions are missing, do you plan to add them anytime soon ?

Adding a new distribution is not particularly an issue, and I'd like to include as much as I can. However, I do not want to push the repository size too far, to avoid a potential removal by GitHub.

Why can't I locate symbols for a particular subversion of a listed distribution ?
- Ubuntu : It appears that debug symbols for pre-release and test kernels aren't automatically generated along the kernel source code, in Ubuntu ddebs mirror. You might want to take a look at the Canonical Kernel Team PPA, for non-stable kernels. Check out issue #27 for an example.

Due to missing dependencies, some kernels specific versions may not be available here.

macOS

Kernel debug symbols for macOS are fetched from : https://developer.apple.com/download/all. However, as Apple does not provide every build, some versions aren't available in this repository. Here are some discussions about it :

Fetching symbols automatically

Volatility3 provides a new feature allowing users to specify a remote symbols source to be queried when analyzing a memory dump. To test this feature in your local installation, run the following commands :

VOLATILITY3_PATH=/path/to/volatility3_install/ # Edit accordingly
sed -i 's@REMOTE_ISF_URL = None@REMOTE_ISF_URL = "https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json"@g' "$VOLATILITY3_PATH/volatility3/framework/constants/__init__.py"

[Consult] How to extract the symbols of macOS 12.7.5_21H1222

I installed KDK on a macOS computer and tried to extract the symbols, but the banner in the resulting JSON file is garbled. No useful information was found on the Internet. Do you have any suggestion?

This is the command I used:

dwarf2json mac --macho /Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel

Here is the banner(version) information the command outputs:

    "version": {
      "type": {
        "count": 104,
        "kind": "array",
        "subtype": {
          "kind": "base",
          "name": "char"
        }
      },
      "address": 18446743523965599488,
      "constant_data": "6/0FAA4UAACoUewAgP///wv+BQAOFAAA+FHsAID///8q/gUADhQAAEhS7ACA////Sf4FAA4UAACYUuwAgP///2j+BQAOFAAA6FLsAID///98/gUADhQAADhT7ACA////jv4FAA4UAAA="
    },

The value of 'constant_data' is expected to be the base64-encoded string of 'Darwin Kernel Version ...' but it turns out to be some kind of binary string.

More information:

fun@FundeMacBook-Pro ~ % sw_vers 
ProductName:	macOS
ProductVersion:	12.7.5
BuildVersion:	21H1222

fun@FundeMacBook-Pro ~ % system_profiler SPHardwareDataType
Hardware:

    Hardware Overview:

      Model Name: MacBook Pro
      Model Identifier: MacBookPro13,2
      Processor Name: Dual-Core Intel Core i5
      Processor Speed: 2.9 GHz
      Number of Processors: 1
      Total Number of Cores: 2
      L2 Cache (per Core): 256 KB
      L3 Cache: 4 MB
      Hyper-Threading Technology: Enabled
      Memory: 8 GB
      System Firmware Version: 529.120.1.0.0
      OS Loader Version: 540.120.3~37
      SMC Version (system): 2.37f25
      Serial Number (system): C02T913XGTFJ
      Hardware UUID: B767BD55-CC06-56BD-B0F4-FD6878AD9D04
      Provisioning UDID: B767BD55-CC06-56BD-B0F4-FD6878AD9D04

fun@FundeMacBook-Pro ~ % file /Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel
/Library/Developer/KDKs/KDK_12.7.5_21H1222.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel: Mach-O 64-bit dSYM companion file x86_64

fun@FundeMacBook-Pro ~ % go version 
go version go1.22.4 darwin/amd64

Thanks in advance.

abyss-w4tcher / volatility3-symbols Goto Github PK