Intermittent errors with linux plugins (~50% of memory acquisitions from the same machine have errors) #1534

Brian-Guenther · 2025-01-08T00:03:17Z

Describe the bug

Intermittent errors from volatility3 linux plugins on memory dumps taken on same system a few minutes apart
We are generating symbol files with Dwarf2json, acquiring memory with AVML, and running volatility3 against the acquired .lime file
About half of our memory acquisitions are causing volatility3 linux plugins to crash and the other half work fine (Seemingly random)
All of this is running on a t3.xlarge AWS EC2 server running RHEL8.10

Started with post in community slack and was told to open issue here.

Example Errors (Full -vvv stacktraces included in comment)

Error Message from python3.8 volatility3/vol.py -f output.lime linux.pslist

Volatility was unable to read a requested page:

Page error 0x7f9aa14b62e0 in layer layer_name (Page Fault at entry 0x0 in table page directory pointer)


        * Memory smear during acquisition (try re-acquiring if possible)

        * An intentionally invalid page lookup (operating system protection)

        * A bug in the plugin/volatility3 (re-run with -vvv and file a bug)
 

No further results will be produced

Error Message from python3.8 volatility3/vol.py -f output.lime linux.psaux

  File "/ir/volatility3-develop/vol.py", line 11, in <module>
    volatility3.cli.main()
  File "/ir/volatility3-develop/volatility3/cli/__init__.py", line 909, in main
    CommandLine().run()
  File "/ir/volatility3-develop/volatility3/cli/__init__.py", line 501, in run
    renderer.render(grid)
  File "/ir/volatility3-develop/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/ir/volatility3-develop/volatility3/framework/renderers/__init__.py", line 240, in populate
    for level, item in self._generator:
  File "/ir/volatility3-develop/volatility3/framework/plugins/linux/psaux.py", line 103, in _generator
    args = self._get_command_line_args(task, name)
  File "/ir/volatility3-develop/volatility3/framework/plugins/linux/psaux.py", line 81, in _get_command_line_args
    s = argv.decode().split("\x00")
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte

Context

AVML Version 0.14.0
Volatility3 Version: Same behavior on latest stable release 2.8.0 and 2.15.0 (latest from develop branch)
Python Version: 3.8.17
Dwarf2Json Version: 0.9.0
RHEL8 Version: 8.10
- 4.18.0-553.33.1.el8_10.x86_64
Hardware Version: AWS EC2 Server, t3.xlarge

To Reproduce

./avml output.lime
python3.8 volatility3/vol.py -f output.lime linux.pslist

Note on Reproducing

Memory dump that works and memory dump that causes errors are exact same size, which makes me think its not a corrupted file from AVML, but some format in the dump that vol3 is not expecting?
Was able to reproduce this on new EC2 servers created from the same AMI
I stood up a bare-bones server with the exact same kernel version, and was unable to reproduce this
- This makes me think that its some system or process writing to memory in a format that either AVML or Volatility3 can't translate?

Expected behavior

Would expect two memory acquisitions from the same server taken minutes apart to both be able to be analyzed by volatility3 with no errors.

Additional information

A memory dump that causes errors in linux.ps_aux and linux.pslist doesn't cause errors in linux.check_syscall
Can't provide full memory dump files, but am interested in suggested next steps for troubleshooting, what tools/options do we have to validate a dump before running vol3 linux plugins against it?

The text was updated successfully, but these errors were encountered:

atcuno · 2025-01-08T05:43:47Z

Hello,

Thank you for filing thia report! To start the feedback:

Yes, you can have substantial changes in memory within minutes, so the results of one acquisition will not necessarily reflect the other, depending on machine activity.
Can you paste the full run of pslist and reproduce the crash with -vvvvvv set? Paste the full backtrace so we can be sure to track it.
I have put the psaux crash in our list for parity release. Thank you for reporting this.

Brian-Guenther · 2025-01-08T15:26:44Z

Passing pslist with -vvv

$ python3.8 volatility3-develop/vol.py -vvv -f output1.lime linux.pslist

Volatility 3 Framework 2.15.0

INFO     volatility3.cli: Volatility plugins path: ['/ir/volatility3-develop/volatility3/plugins', '/ir/volatility3-develop/volatility3/framework/plugins']

INFO     volatility3.cli: Volatility symbols path: ['/ir/volatility3-develop/volatility3/symbols', '/ir/volatility3-develop/volatility3/framework/symbols']

DEBUG    volatility3.plugins.yarascan: Using yara-python module

INFO     volatility3.framework.automagic: Detected a linux category plugin

INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList

INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic

INFO     volatility3.framework.automagic: Running automagic: LayerStacker

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 4.18.0-553.33.1.el8_10.x86_64 ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Fri Dec 6 15:07:20 EST 2024\n\x00'

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mmu_notifier_mm

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!ring_buffer

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_pstats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_stats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!wireless_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!switchdev_ops

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink

DEBUG    volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 416600000 virtual a400000

DEBUG    volatility3.framework.automagic.linux: DTB was found at: 0x419010000

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer.base_layer

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList

DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 16961638555

DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']

INFO     volatility3.framework.automagic: Running automagic: SymbolFinder

INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 4.18.0-553.33.1.el8_10.x86_64 ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Fri Dec 6 15:07:20 EST 2024\n\x00'

DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///ir/volatility3-develop/volatility3/symbols/linux/rhel8_4.18.0-553.33.1.el8_10.x86_64.json

DEBUG    volatility3.framework.automagic.symbol_finder: producer_name: dwarf2json, producer_version: 0.9.0

DEBUG    volatility3.framework.automagic.symbol_finder: Types:

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'dwarf', 'name': 'vmlinux', 'hash_type': 'sha256', 'hash_value': '3c9ff09f335f37270fe291576fd892340a2357462a65ed5db5237501e221b78f'}

DEBUG    volatility3.framework.automagic.symbol_finder: Symbols:

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'dwarf', 'name': 'vmlinux', 'hash_type': 'sha256', 'hash_value': '3c9ff09f335f37270fe291576fd892340a2357462a65ed5db5237501e221b78f'}

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'symtab', 'name': 'vmlinux', 'hash_type': 'sha256', 'hash_value': '3c9ff09f335f37270fe291576fd892340a2357462a65ed5db5237501e221b78f'}

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'system-map', 'name': 'System.map-4.18.0-553.33.1.el8_10.x86_64', 'hash_type': 'sha256', 'hash_value': 'a15bf22809f5d65b5bb25f4788866a066e91df8defbf15b2b3719f512903157f'}

INFO     volatility3.framework.automagic: Running automagic: KernelModule

 

OFFSET (V)     PID     TID     PPID    COMM    UID     GID     EUID    EGID    CREATION TIME    File output

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mmu_notifier_mm

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ring_buffer

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_pstats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_stats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wireless_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!switchdev_ops

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink

 

0x8cdf81e3c000 1       1       0       systemd -       -       -       -       2025-01-06 18:31:30.000000 UTC    Disabled

0x8cdf81e44000 2       2       0       kthreadd       -       -       -       -        2025-01-06 18:31:30.000000 UTC Disabled

0x8cdf81e5c000 3       3       2       rcu_gp  -       -       -       -       2025-01-06 18:31:30.001000 UTC    Disabled

0x8cdf81e68000 4       4       2       rcu_par_gp     -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81e70000 5       5       2       slub_flushwq   -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81e7c000 7       7       2       kworker/0:0H   -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81e98000 10      10      2       mm_percpu_wq   -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81ea4000 11      11      2       rcu_tasks_rude_ -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81ea8000 12      12      2       rcu_tasks_trace -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81eb0000 13      13      2       ksoftirqd/0    -       -       -       -        2025-01-06 18:31:30.002000 UTC Disabled

0x8cdf81ebc000 14      14      2       rcu_sched      -       -       -       -        2025-01-06 18:31:30.002000 UTC Disabled

0x8cdf81ec0000 15      15      2       migration/0    -       -       -       -        2025-01-06 18:31:30.002000 UTC Disabled

0x8cdf81ecc000 16      16      2       watchdog/0     -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f04000 17      17      2       cpuhp/0 -       -       -       -       2025-01-06 18:31:30.004000 UTC    Disabled

0x8cdf81f0c000 18      18      2       cpuhp/1 -       -       -       -       2025-01-06 18:31:30.004000 UTC    Disabled

0x8cdf81f14000 19      19      2       watchdog/1     -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f20000 20      20      2       migration/1    -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f24000 21      21      2       ksoftirqd/1    -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f3c000 23      23      2       kworker/1:0H   -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f4c000 24      24      2       cpuhp/2 -       -       -       -       2025-01-06 18:31:30.006000 UTC    Disabled

0x8cdf81f58000 25      25      2       watchdog/2     -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f64000 26      26      2       migration/2    -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f68000 27      27      2       ksoftirqd/2    -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f80000 29      29      2       kworker/2:0H   -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f98000 30      30      2       cpuhp/3 -       -       -       -       2025-01-06 18:31:30.009000 UTC    Disabled

0x8cdf81fa4000 31      31      2       watchdog/3     -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf81fa8000 32      32      2       migration/3    -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf81fb4000 33      33      2       ksoftirqd/3    -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf81fc8000 35      35      2       kworker/3:0H   -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf8202c000 40      40      2       kdevtmpfs      -       -       -       -        2025-01-06 18:31:30.045000 UTC Disabled

0x8cdf81fe4000 41      41      2       netns   -       -       -       -       2025-01-06 18:31:30.048000 UTC    Disabled

0x8ce2a3278000 42      42      2       kauditd -       -       -       -       2025-01-06 18:31:30.056000 UTC    Disabled

0x8ce2a335c000 44      44      2       khungtaskd     -       -       -       -        2025-01-06 18:31:30.062000 UTC Disabled

0x8ce2a3368000 45      45      2       oom_reaper     -       -       -       -        2025-01-06 18:31:30.063000 UTC Disabled

0x8ce2a336c000 46      46      2       writeback      -       -       -       -        2025-01-06 18:31:30.063000 UTC Disabled

0x8ce2a3378000 47      47      2       kcompactd0     -       -       -       -        2025-01-06 18:31:30.063000 UTC Disabled

0x8ce2a337c000 48      48      2       ksmd    -       -       -       -       2025-01-06 18:31:30.065000 UTC    Disabled

0x8ce2a33c4000 49      49      2       khugepaged     -       -       -       -        2025-01-06 18:31:30.065000 UTC Disabled

0x8ce2a33d0000 50      50      2       crypto  -       -       -       -       2025-01-06 18:31:30.065000 UTC    Disabled

0x8ce2a33d4000 51      51      2       kintegrityd    -       -       -       -        2025-01-06 18:31:30.066000 UTC Disabled

0x8ce2a33f0000 52      52      2       kblockd -       -       -       -       2025-01-06 18:31:30.066000 UTC    Disabled

0x8ce2a33fc000 53      53      2       blkcg_punt_bio -       -       -       -        2025-01-06 18:31:30.066000 UTC Disabled

0x8ce29aabc000 56      56      2       tpm_dev_wq     -       -       -       -        2025-01-06 18:31:30.173000 UTC Disabled

0x8ce29aad0000 57      57      2       md      -       -       -       -       2025-01-06 18:31:30.180000 UTC    Disabled

0x8ce29aadc000 58      58      2       md_bitmap      -       -       -       -        2025-01-06 18:31:30.180000 UTC Disabled

0x8ce29aaf0000 59      59      2       edac-poller    -       -       -       -        2025-01-06 18:31:30.181000 UTC Disabled

0x8cdf82110000 60      60      2       watchdogd      -       -       -       -        2025-01-06 18:31:30.196000 UTC Disabled

0x8cdf82edc000 61      61      2       kworker/3:1H   -       -       -       -        2025-01-06 18:31:30.246086 UTC Disabled

0x8cdf8a2ec000 78      78      2       kswapd0 -       -       -       -       2025-01-06 18:31:30.984374 UTC    Disabled

0x8cdf8a3b4000 138     138     2       kthrotld       -       -       -       -        2025-01-06 18:31:31.020388 UTC Disabled

0x8ce00855c000 140     140     2       acpi_thermal_pm -       -       -       -        2025-01-06 18:31:31.035197 UTC Disabled

0x8cdf8a27c000 141     141     2       kmpath_rdacd   -       -       -       -        2025-01-06 18:31:31.065134 UTC Disabled

0x8cdf83fec000 142     142     2       kaluad  -       -       -       -       2025-01-06 18:31:31.067082 UTC    Disabled

0x8cdf8a268000 144     144     2       kstrp   -       -       -       -       2025-01-06 18:31:31.099617 UTC    Disabled

0x8ce008564000 183     183     2       zswap-shrink   -       -       -       -        2025-01-06 18:31:31.141745 UTC Disabled

0x8cdf8a278000 197     197     2       kworker/0:1H   -       -       -       -        2025-01-06 18:31:31.240567 UTC Disabled

0x8cdf8a3e0000 231     231     2       kworker/2:1H   -       -       -       -        2025-01-06 18:31:31.303549 UTC Disabled

0x8ce008448000 233     233     2       kworker/1:1H   -       -       -       -        2025-01-06 18:31:31.314672 UTC Disabled

0x8ce008504000 439     439     2       nvme-wq -       -       -       -       2025-01-06 18:31:32.303530 UTC    Disabled

0x8ce29a99c000 441     441     2       ena     -       -       -       -       2025-01-06 18:31:32.313206 UTC    Disabled

0x8ce008714000 442     442     2       nvme-reset-wq  -       -       -       -        2025-01-06 18:31:32.317581 UTC Disabled

0x8ce298f4c000 445     445     2       nvme-delete-wq -       -       -       -        2025-01-06 18:31:32.317741 UTC Disabled

0x8cdf99cc8000 475     475     2       xfsalloc       -       -       -       -        2025-01-06 18:31:33.096706 UTC Disabled

0x8cdf99d54000 476     476     2       xfs_mru_cache  -       -       -       -        2025-01-06 18:31:33.097270 UTC Disabled

0x8ce0086b4000 477     477     2       xfs-buf/nvme0n1 -       -       -       -        2025-01-06 18:31:33.097916 UTC Disabled

0x8ce0084a8000 478     478     2       xfs-conv/nvme0n -       -       -       -        2025-01-06 18:31:33.097974 UTC Disabled

0x8ce299c10000 479     479     2       xfs-cil/nvme0n1 -       -       -       -        2025-01-06 18:31:33.098031 UTC Disabled

0x8cdf8a248000 480     480     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:33.098077 UTC Disabled

0x8ce299a80000 481     481     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:33.098126 UTC Disabled

0x8cdf99c9c000 482     482     2       xfs-log/nvme0n1 -       -       -       -        2025-01-06 18:31:33.100179 UTC Disabled

0x8ce298498000 483     483     2       xfsaild/nvme0n1 -       -       -       -        2025-01-06 18:31:33.100231 UTC Disabled

0x8cdf88d48000 586     586     1       systemd-journal -       -       -       -        2025-01-06 18:31:37.733935 UTC Disabled

0x8ce008604000 612     612     1       systemd-udevd  -       -       -       -        2025-01-06 18:31:37.944817 UTC Disabled

0x8cdf84a54000 642     642     2       nfit    -       -       -       -       2025-01-06 18:31:38.575579 UTC    Disabled

0x8ce29a900000 664     664     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822118 UTC Disabled

0x8cdf981b4000 665     665     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822132 UTC Disabled

0x8ce008c48000 666     666     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.822170 UTC Disabled

0x8cdf84004000 667     667     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822197 UTC Disabled

0x8cdf87a50000 668     668     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.822406 UTC Disabled

0x8cdf988dc000 669     669     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822439 UTC Disabled

0x8cdf98588000 670     670     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.822470 UTC Disabled

0x8ce008c30000 671     671     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.822497 UTC Disabled

0x8cdf87a68000 674     674     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.825135 UTC Disabled

0x8cdf84a24000 675     675     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.825174 UTC Disabled

0x8cdfd0694000 676     676     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.825597 UTC Disabled

0x8cdf9830c000 677     677     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.825626 UTC Disabled

0x8cdf88a70000 678     678     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.825651 UTC Disabled

0x8cdf84a2c000 679     679     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.826033 UTC Disabled

0x8ce008114000 680     680     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.826072 UTC Disabled

0x8cdf87a4c000 681     681     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.826118 UTC Disabled

0x8cdf84a1c000 682     682     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.828756 UTC Disabled

0x8cdfd06b4000 683     683     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.828788 UTC Disabled

0x8cdf981ac000 684     684     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.828813 UTC Disabled

0x8cdf981a4000 685     685     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.828837 UTC Disabled

0x8cdf98180000 686     686     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.874103 UTC Disabled

0x8cdf8a234000 687     687     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.874300 UTC Disabled

0x8cdf98390000 688     688     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.875033 UTC Disabled

0x8cdf98394000 689     689     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.876054 UTC Disabled

0x8cdf8a214000 690     690     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.876482 UTC Disabled

0x8cdf98888000 691     691     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.876536 UTC Disabled

0x8cdf88c44000 692     692     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.879139 UTC Disabled

0x8cdf88c7c000 693     693     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.879197 UTC Disabled

0x8cdf8837c000 701     701     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:39.613707 UTC Disabled

0x8ce008718000 702     702     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:39.613757 UTC Disabled

0x8cdf83fbc000 703     703     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:39.613797 UTC Disabled

0x8cdf8873c000 704     704     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:39.613832 UTC Disabled

0x8cdfd04f8000 705     705     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:39.613897 UTC Disabled

0x8cdfd04e8000 707     707     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616715 UTC Disabled

0x8ce299b70000 708     708     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616736 UTC Disabled

0x8cdf880c0000 709     709     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616772 UTC Disabled

0x8cdf880c4000 710     710     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:39.616800 UTC Disabled

0x8ce00871c000 711     711     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616839 UTC Disabled

0x8cdf880c8000 712     712     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:39.616897 UTC Disabled

0x8cdf880cc000 713     713     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:39.616941 UTC Disabled

0x8cdf8901c000 715     715     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:39.619973 UTC Disabled

0x8ce008d88000 716     716     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:39.620078 UTC Disabled

0x8cdf988e4000 717     717     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:39.620704 UTC Disabled

0x8cdf98874000 718     718     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:39.620761 UTC Disabled

0x8cdf882a4000 719     719     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:39.620806 UTC Disabled

0x8cdf88914000 720     720     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:39.620850 UTC Disabled

0x8ce008054000 721     721     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:39.620893 UTC Disabled

0x8cdf8896c000 722     722     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:39.624161 UTC Disabled

0x8cdf89040000 723     723     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:39.624215 UTC Disabled

0x8cdf98084000 731     731     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:40.244080 UTC Disabled

0x8cdf88338000 732     732     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:40.245222 UTC Disabled

0x8cdf8a200000 733     733     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:40.245298 UTC Disabled

0x8ce008d90000 734     734     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:40.245364 UTC Disabled

0x8cdf8416c000 735     735     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:40.245435 UTC Disabled

0x8cdf84050000 736     736     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:40.248805 UTC Disabled

0x8cdf8a26c000 737     737     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:40.248891 UTC Disabled

0x8cdf9864c000 764     764     1       rpcbind 32      32      32      32      2025-01-06 18:31:41.187765 UTC    Disabled

0x8ce00807c000 767     767     1       auditd  -       -       -       -       2025-01-06 18:31:41.215368 UTC    Disabled

0x8cdf98674000 770     770     767     audisp-syslog  -       -       -       -        2025-01-06 18:31:41.252618 UTC Disabled

0x8cdf98328000 772     772     2       rpciod  -       -       -       -       2025-01-06 18:31:41.258220 UTC    Disabled

0x8ce0081cc000 773     773     2       xprtiod -       -       -       -       2025-01-06 18:31:41.258299 UTC    Disabled

0x8ce008070000 808     808     2       audit_prune_tre -       -       -       -        2025-01-06 18:31:41.433991 UTC Disabled

0x8cdf880d0000 816     816     1       dbus-daemon    81      81      81      81        2025-01-06 18:31:42.272531 UTC Disabled

0x8cdf87a10000 818     818     1       irqbalance     -       -       -       -        2025-01-06 18:31:42.316181 UTC Disabled

0x8cdf84040000 819     819     1       firewalld      -       -       -       -        2025-01-06 18:31:42.319532 UTC Disabled

0x8cdf88348000 820     820     1       systemd-logind -       -       -       -        2025-01-06 18:31:42.324752 UTC Disabled

0x8cdf99c50000 834     834     1       chronyd 995     992     995     992     2025-01-06 18:31:42.464656 UTC    Disabled

0x8cdf98978000 1371    1371    1       NetworkManager -       -       -       -        2025-01-06 18:31:47.027864 UTC Disabled

0x8cdf83290000 1377    1377    1       wdavdaemon     -       -       -       -        2025-01-06 18:31:47.457023 UTC Disabled

0x8cdf989f0000 1380    1380    1       system-probe   -       -       -       -        2025-01-06 18:31:47.477766 UTC Disabled

0x8cdf98730000 1381    1381    1       agent   7845    7845    7845    7845    2025-01-06 18:31:47.480684 UTC    Disabled

0x8cdfd04ac000 1382    1382    1       process-agent  7845    7845    7845    7845        2025-01-06 18:31:47.482949 UTC Disabled

0x8cdf9871c000 1383    1383    1       amazon-cloudwat -       -       -       -        2025-01-06 18:31:47.485878 UTC Disabled

0x8cdf891c0000 1384    1384    1       tuned   -       -       -       -       2025-01-06 18:31:47.488133 UTC    Disabled

0x8cdf891e4000 1385    1385    1       trace-agent    7845    7845    7845    7845        2025-01-06 18:31:47.490697 UTC Disabled

0x8cdf84888000 1397    1397    1       polkitd 998     996     998     996     2025-01-06 18:31:47.551321 UTC    Disabled

0x8cdf989a0000 1399    1399    1       rhsmcertd      -       -       -       -        2025-01-06 18:31:47.566135 UTC Disabled

0x8cdf8a018000 1418    1418    1       gssproxy       -       -       -       -        2025-01-06 18:31:47.641493 UTC Disabled

0x8ce008fbc000 1802    1802    1       master  -       -       -       -       2025-01-06 18:31:49.553584 UTC    Disabled

0x8cdf89608000 1804    1804    1802    pickup  89      89      89      89      2025-01-06 18:31:49.583993 UTC    Disabled

0x8cdf8a008000 1805    1805    1802    qmgr    89      89      89      89      2025-01-06 18:31:49.584502 UTC    Disabled

0x8cdf89564000 1840    1840    1377    wdavdaemon     -       -       -       -        2025-01-06 18:31:49.964917 UTC Disabled

0x8ce008fb8000 1881    1881    1       amazon-ssm-agen -       -       -       -        2025-01-06 18:31:50.779650 UTC Disabled

0x8ce008f48000 1884    1884    1       rsyslogd       -       -       -       -        2025-01-06 18:31:50.787866 UTC Disabled

0x8cdf866f8000 1897    1897    1       sshd    -       -       -       -       2025-01-06 18:31:50.877285 UTC    Disabled

0x8cdf87100000 2054    2054    1       ndtask  -       -       -       -       2025-01-06 18:31:51.642127 UTC    Disabled

0x8cdf87398000 2055    2055    1       mgsusageag     -       -       -       -        2025-01-06 18:31:51.647579 UTC Disabled

0x8cdf87320000 2119    2119    1       agetty  -       -       -       -       2025-01-06 18:31:51.849396 UTC    Disabled

0x8cdf8442c000 2121    2121    1       agetty  -       -       -       -       2025-01-06 18:31:51.853010 UTC    Disabled

0x8cdf871c0000 2124    2124    1       crond   -       -       -       -       2025-01-06 18:31:51.858122 UTC    Disabled

0x8cdf87554000 2506    2506    1881    ssm-agent-worke -       -       -       -        2025-01-06 18:31:52.972018 UTC Disabled

0x8cdfc9014000 13916   13916   1       agentid-service -       -       -       -        2025-01-06 18:39:57.994046 UTC Disabled

0x8ce0675c0000 17821   17821   2506    ssm-session-wor -       -       -       -        2025-01-06 18:53:56.853692 UTC Disabled

0x8ce01ebd8000 17907   17907   17821   sh      7846    7846    7846    7846    2025-01-06 18:53:58.655962 UTC    Disabled

0x8ce0338b4000 17908   17908   17907   bash    7846    7846    7846    7846    2025-01-06 18:53:58.661100 UTC    Disabled

0x8cdf892c4000 17909   17909   17908   bash    7846    7846    7846    7846    2025-01-06 18:53:58.663527 UTC    Disabled

0x8ce067564000 17983   17983   17909   sudo    7846    -       -       -       2025-01-06 18:54:14.150493 UTC    Disabled

0x8ce02321c000 17987   17987   1       systemd -       -       -       -       2025-01-06 18:54:14.215331 UTC    Disabled

0x8cdfc2cd4000 17990   17990   17987   (sd-pam)       -       -       -       -        2025-01-06 18:54:14.233150 UTC Disabled

0x8ce03bf84000 17997   17997   17983   sudo    7846    -       -       -       2025-01-06 18:54:14.353491 UTC    Disabled

0x8cdf83c5c000 17998   17998   17997   su      -       -       -       -       2025-01-06 18:54:14.354395 UTC    Disabled

0x8cdf8a288000 17999   17999   17998   bash    -       -       -       -       2025-01-06 18:54:14.368019 UTC    Disabled

0x8cdffdb90000 18031   18031   2       xfs-buf/nvme2n1 -       -       -       -        2025-01-06 18:54:15.498038 UTC Disabled

0x8ce0232fc000 18032   18032   2       xfs-conv/nvme2n -       -       -       -        2025-01-06 18:54:15.498094 UTC Disabled

0x8ce0677dc000 18033   18033   2       xfs-cil/nvme2n1 -       -       -       -        2025-01-06 18:54:15.498145 UTC Disabled

0x8ce03bdb8000 18034   18034   2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:54:15.498210 UTC Disabled

0x8ce008350000 18035   18035   2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:54:15.498254 UTC Disabled

0x8ce03bfe4000 18036   18036   2       xfs-log/nvme2n1 -       -       -       -        2025-01-06 18:54:15.500968 UTC Disabled

0x8cdfebeec000 18037   18037   2       xfsaild/nvme2n1 -       -       -       -        2025-01-06 18:54:15.501111 UTC Disabled

0x8ce07ef9c000 18658   18658   1       rhcd    -       -       -       -       2025-01-06 18:55:37.895128 UTC    Disabled

0x8ce024c78000 18667   18667   18658   rhc-package-man -       -       -       -        2025-01-06 18:55:38.090402 UTC Disabled

0x8ce0d5190000 22904   22904   1       anacron -       -       -       -       2025-01-06 19:01:01.185589 UTC    Disabled

0x8cdfc66f8000 25459   25459   2       kworker/1:3    -       -       -       -        2025-01-06 19:04:42.822941 UTC Disabled

0x8cde8c4f8000 47504   47504   2       kworker/2:2    -       -       -       -        2025-01-06 19:10:00.658314 UTC Disabled

0x8ce03be5c000 49357   49357   2506    ssm-session-wor -       -       -       -        2025-01-06 19:11:40.884744 UTC Disabled

0x8cdfebcb0000 49463   49463   49357   sh      7846    7846    7846    7846    2025-01-06 19:11:42.104285 UTC    Disabled

0x8cdf88864000 49464   49464   49463   bash    7846    7846    7846    7846    2025-01-06 19:11:42.109971 UTC    Disabled

0x8ce03bf2c000 49465   49465   49464   bash    7846    7846    7846    7846    2025-01-06 19:11:42.111946 UTC    Disabled

0x8ce060ca0000 51840   51840   49465   sudo    7846    -       -       -       2025-01-06 19:13:10.120453 UTC    Disabled

0x8ce067624000 51842   51842   51840   sudo    7846    -       -       -       2025-01-06 19:13:10.208844 UTC    Disabled

0x8ce033944000 51843   51843   51842   su      -       -       -       -       2025-01-06 19:13:10.210587 UTC    Disabled

0x8ce0a4568000 51844   51844   51843   bash    -       -       -       -       2025-01-06 19:13:10.242240 UTC    Disabled

0x8cde812f0000 53747   53747   2       kworker/u8:2   -       -       -       -        2025-01-06 19:15:48.785238 UTC Disabled

0x8cdfc93f4000 54138   54138   2       kworker/3:5    -       -       -       -        2025-01-06 19:16:25.390332 UTC Disabled

0x8cdf989cc000 61900   61900   2       kworker/1:1    -       -       -       -        2025-01-06 19:27:29.552234 UTC Disabled

0x8cdf996a4000 64374   64374   2       kworker/1:5    -       -       -       -        2025-01-06 19:30:27.994783 UTC Disabled

0x8ce07e8fc000 68280   68280   2       kworker/u8:1   -       -       -       -        2025-01-06 19:36:17.521061 UTC Disabled

0x8ce070678000 69856   69856   2       kworker/3:2    -       -       -       -        2025-01-06 19:38:35.374434 UTC Disabled

0x8ce0c6874000 70313   70313   2       kworker/2:0    -       -       -       -        2025-01-06 19:39:14.867280 UTC Disabled

0x8ce0d539c000 71106   71106   2       kworker/2:1    -       -       -       -        2025-01-06 19:40:27.568214 UTC Disabled

0x8cdf84234000 72530   72530   2       kworker/u8:0   -       -       -       -        2025-01-06 19:42:35.440117 UTC Disabled

0x8ce0c8224000 72789   72789   2       kworker/0:13   -       -       -       -        2025-01-06 19:42:57.660553 UTC Disabled

0x8cdf98100000 72790   72790   2       kworker/0:14   -       -       -       -        2025-01-06 19:42:57.660743 UTC Disabled

0x8ce12cbd8000 72791   72791   2       kworker/0:15   -       -       -       -        2025-01-06 19:42:57.660790 UTC Disabled

0x8ce0d2d2c000 73438   73438   2       kworker/3:0    -       -       -       -        2025-01-06 19:43:54.626992 UTC Disabled

0x8ce01e9dc000 75149   75149   2       kworker/2:3    -       -       -       -        2025-01-06 19:46:18.823280 UTC Disabled

0x8cde81308000 76667   76667   2       kworker/0:0    -       -       -       -        2025-01-06 19:48:28.725110 UTC Disabled

0x8ce064814000 76698   76698   2       kworker/1:0    -       -       -       -        2025-01-06 19:48:29.083118 UTC Disabled

0x8cdff3e94000 76747   76747   2       kworker/u8:3   -       -       -       -        2025-01-06 19:48:37.603052 UTC Disabled

0x8cdf84224000 77737   77737   2       kworker/0:1    -       -       -       -        2025-01-06 19:49:59.897029 UTC Disabled

0x8ce062cd4000 78163   78163   2       kworker/1:2    -       -       -       -        2025-01-06 19:50:36.984094 UTC Disabled

0x8cdf99570000 78360   78360   2       kworker/2:4    -       -       -       -        2025-01-06 19:50:55.091290 UTC Disabled

0x8ce0616ac000 78558   78558   2       kworker/3:1    -       -       -       -        2025-01-06 19:51:12.951333 UTC Disabled

0x8ce12cb20000 78709   78709   17999   irtest.sh      -       -       -       -        2025-01-06 19:51:23.755930 UTC Disabled

0x8cdf9979c000 78710   78710   78709   avml    -       -       -       -       2025-01-06 19:51:23.762480 UTC    Disabled

Brian-Guenther · 2025-01-08T15:27:43Z

Failing pslist with -vvv

$ python3.8 volatility3-develop/vol.py -vvv -f output7.lime linux.pslist

Volatility 3 Framework 2.15.0

INFO     volatility3.cli: Volatility plugins path: ['/ir/volatility3-develop/volatility3/plugins', '/ir/volatility3-develop/volatility3/framework/plugins']

INFO     volatility3.cli: Volatility symbols path: ['/ir/volatility3-develop/volatility3/symbols', '/ir/volatility3-develop/volatility3/framework/symbols']

DEBUG    volatility3.plugins.yarascan: Using yara-python module

INFO     volatility3.framework.automagic: Detected a linux category plugin

INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList

INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic

INFO     volatility3.framework.automagic: Running automagic: LayerStacker

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 4.18.0-553.33.1.el8_10.x86_64 ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Fri Dec 6 15:07:20 EST 2024\n\x00'

DEBUG    volatility3.schemas: Validating JSON against schema...

DEBUG    volatility3.schemas: JSON validated against schema (result cached)

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mmu_notifier_mm

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!dma_coherent_mem

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!ring_buffer

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_pstats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!s_stats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!ebt_table

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!wireless_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!switchdev_ops

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_vstats

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic

DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink

DEBUG    volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 416600000 virtual a400000

DEBUG    volatility3.framework.automagic.linux: DTB was found at: 0x419010000

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer

DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer.base_layer

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList

DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 16961638555

DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer']

INFO     volatility3.framework.automagic: Running automagic: SymbolFinder

INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder

DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name

DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 4.18.0-553.33.1.el8_10.x86_64 ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-22) (GCC)) #1 SMP Fri Dec 6 15:07:20 EST 2024\n\x00'

DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///ir/volatility3-develop/volatility3/symbols/linux/rhel8_4.18.0-553.33.1.el8_10.x86_64.json

DEBUG    volatility3.framework.automagic.symbol_finder: producer_name: dwarf2json, producer_version: 0.9.0

DEBUG    volatility3.framework.automagic.symbol_finder: Types:

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'dwarf', 'name': 'vmlinux', 'hash_type': 'sha256', 'hash_value': '3c9ff09f335f37270fe291576fd892340a2357462a65ed5db5237501e221b78f'}

DEBUG    volatility3.framework.automagic.symbol_finder: Symbols:

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'dwarf', 'name': 'vmlinux', 'hash_type': 'sha256', 'hash_value': '3c9ff09f335f37270fe291576fd892340a2357462a65ed5db5237501e221b78f'}

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'symtab', 'name': 'vmlinux', 'hash_type': 'sha256', 'hash_value': '3c9ff09f335f37270fe291576fd892340a2357462a65ed5db5237501e221b78f'}

DEBUG    volatility3.framework.automagic.symbol_finder:      {'kind': 'system-map', 'name': 'System.map-4.18.0-553.33.1.el8_10.x86_64', 'hash_type': 'sha256', 'hash_value': 'a15bf22809f5d65b5bb25f4788866a066e91df8defbf15b2b3719f512903157f'}

INFO     volatility3.framework.automagic: Running automagic: KernelModule

 

OFFSET (V)     PID     TID     PPID    COMM    UID     GID     EUID    EGID    CREATION TIME    File output

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mmu_notifier_mm

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dma_coherent_mem

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ring_buffer

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_pstats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!s_stats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ebt_table

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!wireless_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!switchdev_ops

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_vstats

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic

DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink

 

0x8cdf81e3c000 1       1       0       systemd -       -       -       -       2025-01-06 18:31:30.000000 UTC    Disabled

0x8cdf81e44000 2       2       0       kthreadd       -       -       -       -        2025-01-06 18:31:30.000000 UTC Disabled

0x8cdf81e5c000 3       3       2       rcu_gp  -       -       -       -       2025-01-06 18:31:30.001000 UTC    Disabled

0x8cdf81e68000 4       4       2       rcu_par_gp     -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81e70000 5       5       2       slub_flushwq   -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81e7c000 7       7       2       kworker/0:0H   -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81e98000 10      10      2       mm_percpu_wq   -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81ea4000 11      11      2       rcu_tasks_rude_ -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81ea8000 12      12      2       rcu_tasks_trace -       -       -       -        2025-01-06 18:31:30.001000 UTC Disabled

0x8cdf81eb0000 13      13      2       ksoftirqd/0    -       -       -       -        2025-01-06 18:31:30.002000 UTC Disabled

0x8cdf81ebc000 14      14      2       rcu_sched      -       -       -       -        2025-01-06 18:31:30.002000 UTC Disabled

0x8cdf81ec0000 15      15      2       migration/0    -       -       -       -        2025-01-06 18:31:30.002000 UTC Disabled

0x8cdf81ecc000 16      16      2       watchdog/0     -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f04000 17      17      2       cpuhp/0 -       -       -       -       2025-01-06 18:31:30.004000 UTC    Disabled

0x8cdf81f0c000 18      18      2       cpuhp/1 -       -       -       -       2025-01-06 18:31:30.004000 UTC    Disabled

0x8cdf81f14000 19      19      2       watchdog/1     -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f20000 20      20      2       migration/1    -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f24000 21      21      2       ksoftirqd/1    -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f3c000 23      23      2       kworker/1:0H   -       -       -       -        2025-01-06 18:31:30.004000 UTC Disabled

0x8cdf81f4c000 24      24      2       cpuhp/2 -       -       -       -       2025-01-06 18:31:30.006000 UTC    Disabled

0x8cdf81f58000 25      25      2       watchdog/2     -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f64000 26      26      2       migration/2    -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f68000 27      27      2       ksoftirqd/2    -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f80000 29      29      2       kworker/2:0H   -       -       -       -        2025-01-06 18:31:30.006000 UTC Disabled

0x8cdf81f98000 30      30      2       cpuhp/3 -       -       -       -       2025-01-06 18:31:30.009000 UTC    Disabled

0x8cdf81fa4000 31      31      2       watchdog/3     -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf81fa8000 32      32      2       migration/3    -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf81fb4000 33      33      2       ksoftirqd/3    -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf81fc8000 35      35      2       kworker/3:0H   -       -       -       -        2025-01-06 18:31:30.009000 UTC Disabled

0x8cdf8202c000 40      40      2       kdevtmpfs      -       -       -       -        2025-01-06 18:31:30.045000 UTC Disabled

0x8cdf81fe4000 41      41      2       netns   -       -       -       -       2025-01-06 18:31:30.048000 UTC    Disabled

0x8ce2a3278000 42      42      2       kauditd -       -       -       -       2025-01-06 18:31:30.056000 UTC    Disabled

0x8ce2a335c000 44      44      2       khungtaskd     -       -       -       -        2025-01-06 18:31:30.062000 UTC Disabled

0x8ce2a3368000 45      45      2       oom_reaper     -       -       -       -        2025-01-06 18:31:30.063000 UTC Disabled

0x8ce2a336c000 46      46      2       writeback      -       -       -       -        2025-01-06 18:31:30.063000 UTC Disabled

0x8ce2a3378000 47      47      2       kcompactd0     -       -       -       -        2025-01-06 18:31:30.063000 UTC Disabled

0x8ce2a337c000 48      48      2       ksmd    -       -       -       -       2025-01-06 18:31:30.065000 UTC    Disabled

0x8ce2a33c4000 49      49      2       khugepaged     -       -       -       -        2025-01-06 18:31:30.065000 UTC Disabled

0x8ce2a33d0000 50      50      2       crypto  -       -       -       -       2025-01-06 18:31:30.065000 UTC    Disabled

0x8ce2a33d4000 51      51      2       kintegrityd    -       -       -       -        2025-01-06 18:31:30.066000 UTC Disabled

0x8ce2a33f0000 52      52      2       kblockd -       -       -       -       2025-01-06 18:31:30.066000 UTC    Disabled

0x8ce2a33fc000 53      53      2       blkcg_punt_bio -       -       -       -        2025-01-06 18:31:30.066000 UTC Disabled

0x8ce29aabc000 56      56      2       tpm_dev_wq     -       -       -       -        2025-01-06 18:31:30.173000 UTC Disabled

0x8ce29aad0000 57      57      2       md      -       -       -       -       2025-01-06 18:31:30.180000 UTC    Disabled

0x8ce29aadc000 58      58      2       md_bitmap      -       -       -       -        2025-01-06 18:31:30.180000 UTC Disabled

0x8ce29aaf0000 59      59      2       edac-poller    -       -       -       -        2025-01-06 18:31:30.181000 UTC Disabled

0x8cdf82110000 60      60      2       watchdogd      -       -       -       -        2025-01-06 18:31:30.196000 UTC Disabled

0x8cdf82edc000 61      61      2       kworker/3:1H   -       -       -       -        2025-01-06 18:31:30.246086 UTC Disabled

0x8cdf8a2ec000 78      78      2       kswapd0 -       -       -       -       2025-01-06 18:31:30.984374 UTC    Disabled

0x8cdf8a3b4000 138     138     2       kthrotld       -       -       -       -        2025-01-06 18:31:31.020388 UTC Disabled

0x8ce00855c000 140     140     2       acpi_thermal_pm -       -       -       -        2025-01-06 18:31:31.035197 UTC Disabled

0x8cdf8a27c000 141     141     2       kmpath_rdacd   -       -       -       -        2025-01-06 18:31:31.065134 UTC Disabled

0x8cdf83fec000 142     142     2       kaluad  -       -       -       -       2025-01-06 18:31:31.067082 UTC    Disabled

0x8cdf8a268000 144     144     2       kstrp   -       -       -       -       2025-01-06 18:31:31.099617 UTC    Disabled

0x8ce008564000 183     183     2       zswap-shrink   -       -       -       -        2025-01-06 18:31:31.141745 UTC Disabled

0x8cdf8a278000 197     197     2       kworker/0:1H   -       -       -       -        2025-01-06 18:31:31.240567 UTC Disabled

0x8cdf8a3e0000 231     231     2       kworker/2:1H   -       -       -       -        2025-01-06 18:31:31.303549 UTC Disabled

0x8ce008448000 233     233     2       kworker/1:1H   -       -       -       -        2025-01-06 18:31:31.314672 UTC Disabled

0x8ce008504000 439     439     2       nvme-wq -       -       -       -       2025-01-06 18:31:32.303530 UTC    Disabled

0x8ce29a99c000 441     441     2       ena     -       -       -       -       2025-01-06 18:31:32.313206 UTC    Disabled

0x8ce008714000 442     442     2       nvme-reset-wq  -       -       -       -        2025-01-06 18:31:32.317581 UTC Disabled

0x8ce298f4c000 445     445     2       nvme-delete-wq -       -       -       -        2025-01-06 18:31:32.317741 UTC Disabled

0x8cdf99cc8000 475     475     2       xfsalloc       -       -       -       -        2025-01-06 18:31:33.096706 UTC Disabled

0x8cdf99d54000 476     476     2       xfs_mru_cache  -       -       -       -        2025-01-06 18:31:33.097270 UTC Disabled

0x8ce0086b4000 477     477     2       xfs-buf/nvme0n1 -       -       -       -        2025-01-06 18:31:33.097916 UTC Disabled

0x8ce0084a8000 478     478     2       xfs-conv/nvme0n -       -       -       -        2025-01-06 18:31:33.097974 UTC Disabled

0x8ce299c10000 479     479     2       xfs-cil/nvme0n1 -       -       -       -        2025-01-06 18:31:33.098031 UTC Disabled

0x8cdf8a248000 480     480     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:33.098077 UTC Disabled

0x8ce299a80000 481     481     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:33.098126 UTC Disabled

0x8cdf99c9c000 482     482     2       xfs-log/nvme0n1 -       -       -       -        2025-01-06 18:31:33.100179 UTC Disabled

0x8ce298498000 483     483     2       xfsaild/nvme0n1 -       -       -       -        2025-01-06 18:31:33.100231 UTC Disabled

0x8cdf88d48000 586     586     1       systemd-journal -       -       -       -        2025-01-06 18:31:37.733935 UTC Disabled

0x8ce008604000 612     612     1       systemd-udevd  -       -       -       -        2025-01-06 18:31:37.944817 UTC Disabled

0x8cdf84a54000 642     642     2       nfit    -       -       -       -       2025-01-06 18:31:38.575579 UTC    Disabled

0x8ce29a900000 664     664     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822118 UTC Disabled

0x8cdf981b4000 665     665     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822132 UTC Disabled

0x8ce008c48000 666     666     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.822170 UTC Disabled

0x8cdf84004000 667     667     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822197 UTC Disabled

0x8cdf87a50000 668     668     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.822406 UTC Disabled

0x8cdf988dc000 669     669     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.822439 UTC Disabled

0x8cdf98588000 670     670     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.822470 UTC Disabled

0x8ce008c30000 671     671     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.822497 UTC Disabled

0x8cdf87a68000 674     674     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.825135 UTC Disabled

0x8cdf84a24000 675     675     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.825174 UTC Disabled

0x8cdfd0694000 676     676     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.825597 UTC Disabled

0x8cdf9830c000 677     677     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.825626 UTC Disabled

0x8cdf88a70000 678     678     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.825651 UTC Disabled

0x8cdf84a2c000 679     679     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.826033 UTC Disabled

0x8ce008114000 680     680     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:38.826072 UTC Disabled

0x8cdf87a4c000 681     681     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.826118 UTC Disabled

0x8cdf84a1c000 682     682     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:38.828756 UTC Disabled

0x8cdfd06b4000 683     683     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:38.828788 UTC Disabled

0x8cdf981ac000 684     684     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:38.828813 UTC Disabled

0x8cdf981a4000 685     685     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:38.828837 UTC Disabled

0x8cdf98180000 686     686     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.874103 UTC Disabled

0x8cdf8a234000 687     687     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.874300 UTC Disabled

0x8cdf98390000 688     688     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.875033 UTC Disabled

0x8cdf98394000 689     689     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.876054 UTC Disabled

0x8cdf8a214000 690     690     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.876482 UTC Disabled

0x8cdf98888000 691     691     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.876536 UTC Disabled

0x8cdf88c44000 692     692     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:38.879139 UTC Disabled

0x8cdf88c7c000 693     693     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:38.879197 UTC Disabled

0x8cdf8837c000 701     701     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:39.613707 UTC Disabled

0x8ce008718000 702     702     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:39.613757 UTC Disabled

0x8cdf83fbc000 703     703     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:39.613797 UTC Disabled

0x8cdf8873c000 704     704     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:39.613832 UTC Disabled

0x8cdfd04f8000 705     705     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:39.613897 UTC Disabled

0x8cdfd04e8000 707     707     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616715 UTC Disabled

0x8ce299b70000 708     708     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616736 UTC Disabled

0x8cdf880c0000 709     709     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616772 UTC Disabled

0x8cdf880c4000 710     710     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:39.616800 UTC Disabled

0x8ce00871c000 711     711     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:39.616839 UTC Disabled

0x8cdf880c8000 712     712     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:39.616897 UTC Disabled

0x8cdf880cc000 713     713     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:39.616941 UTC Disabled

0x8cdf8901c000 715     715     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:39.619973 UTC Disabled

0x8ce008d88000 716     716     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:39.620078 UTC Disabled

0x8cdf988e4000 717     717     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:39.620704 UTC Disabled

0x8cdf98874000 718     718     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:39.620761 UTC Disabled

0x8cdf882a4000 719     719     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:39.620806 UTC Disabled

0x8cdf88914000 720     720     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:39.620850 UTC Disabled

0x8ce008054000 721     721     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:39.620893 UTC Disabled

0x8cdf8896c000 722     722     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:39.624161 UTC Disabled

0x8cdf89040000 723     723     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:39.624215 UTC Disabled

0x8cdf98084000 731     731     2       xfs-buf/nvme1n1 -       -       -       -        2025-01-06 18:31:40.244080 UTC Disabled

0x8cdf88338000 732     732     2       xfs-conv/nvme1n -       -       -       -        2025-01-06 18:31:40.245222 UTC Disabled

0x8cdf8a200000 733     733     2       xfs-cil/nvme1n1 -       -       -       -        2025-01-06 18:31:40.245298 UTC Disabled

0x8ce008d90000 734     734     2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:31:40.245364 UTC Disabled

0x8cdf8416c000 735     735     2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:31:40.245435 UTC Disabled

0x8cdf84050000 736     736     2       xfs-log/nvme1n1 -       -       -       -        2025-01-06 18:31:40.248805 UTC Disabled

0x8cdf8a26c000 737     737     2       xfsaild/nvme1n1 -       -       -       -        2025-01-06 18:31:40.248891 UTC Disabled

0x8cdf9864c000 764     764     1       rpcbind 32      32      32      32      2025-01-06 18:31:41.187765 UTC    Disabled

0x8ce00807c000 767     767     1       auditd  -       -       -       -       2025-01-06 18:31:41.215368 UTC    Disabled

0x8cdf98674000 770     770     767     audisp-syslog  -       -       -       -        2025-01-06 18:31:41.252618 UTC Disabled

0x8cdf98328000 772     772     2       rpciod  -       -       -       -       2025-01-06 18:31:41.258220 UTC    Disabled

0x8ce0081cc000 773     773     2       xprtiod -       -       -       -       2025-01-06 18:31:41.258299 UTC    Disabled

0x8ce008070000 808     808     2       audit_prune_tre -       -       -       -        2025-01-06 18:31:41.433991 UTC Disabled

0x8cdf880d0000 816     816     1       dbus-daemon    81      81      81      81        2025-01-06 18:31:42.272531 UTC Disabled

0x8cdf87a10000 818     818     1       irqbalance     -       -       -       -        2025-01-06 18:31:42.316181 UTC Disabled

0x8cdf84040000 819     819     1       firewalld      -       -       -       -        2025-01-06 18:31:42.319532 UTC Disabled

0x8cdf88348000 820     820     1       systemd-logind -       -       -       -        2025-01-06 18:31:42.324752 UTC Disabled

0x8cdf99c50000 834     834     1       chronyd 995     992     995     992     2025-01-06 18:31:42.464656 UTC    Disabled

0x8cdf98978000 1371    1371    1       NetworkManager -       -       -       -        2025-01-06 18:31:47.027864 UTC Disabled

0x8cdf83290000 1377    1377    1       wdavdaemon     -       -       -       -        2025-01-06 18:31:47.457023 UTC Disabled

0x8cdf989f0000 1380    1380    1       system-probe   -       -       -       -        2025-01-06 18:31:47.477766 UTC Disabled

0x8cdf98730000 1381    1381    1       agent   7845    7845    7845    7845    2025-01-06 18:31:47.480684 UTC    Disabled

0x8cdfd04ac000 1382    1382    1       process-agent  7845    7845    7845    7845        2025-01-06 18:31:47.482949 UTC Disabled

0x8cdf9871c000 1383    1383    1       amazon-cloudwat -       -       -       -        2025-01-06 18:31:47.485878 UTC Disabled

0x8cdf891c0000 1384    1384    1       tuned   -       -       -       -       2025-01-06 18:31:47.488133 UTC    Disabled

0x8cdf891e4000 1385    1385    1       trace-agent    7845    7845    7845    7845        2025-01-06 18:31:47.490697 UTC Disabled

0x8cdf84888000 1397    1397    1       polkitd 998     996     998     996     2025-01-06 18:31:47.551321 UTC    Disabled

0x8cdf989a0000 1399    1399    1       rhsmcertd      -       -       -       -        2025-01-06 18:31:47.566135 UTC Disabled

0x8cdf8a018000 1418    1418    1       gssproxy       -       -       -       -        2025-01-06 18:31:47.641493 UTC Disabled

0x8ce008fbc000 1802    1802    1       master  -       -       -       -       2025-01-06 18:31:49.553584 UTC    Disabled

0x8cdf8a008000 1805    1805    1802    qmgr    89      89      89      89      2025-01-06 18:31:49.584502 UTC    Disabled

0x8cdf89564000 1840    1840    1377    wdavdaemon     -       -       -       -        2025-01-06 18:31:49.964917 UTC Disabled

0x8ce008fb8000 1881    1881    1       amazon-ssm-agen -       -       -       -        2025-01-06 18:31:50.779650 UTC Disabled

0x8ce008f48000 1884    1884    1       rsyslogd       -       -       -       -        2025-01-06 18:31:50.787866 UTC Disabled

0x8cdf866f8000 1897    1897    1       sshd    -       -       -       -       2025-01-06 18:31:50.877285 UTC    Disabled

0x8cdf87100000 2054    2054    1       ndtask  -       -       -       -       2025-01-06 18:31:51.642127 UTC    Disabled

0x8cdf87398000 2055    2055    1       mgsusageag     -       -       -       -        2025-01-06 18:31:51.647579 UTC Disabled

0x8cdf87320000 2119    2119    1       agetty  -       -       -       -       2025-01-06 18:31:51.849396 UTC    Disabled

0x8cdf8442c000 2121    2121    1       agetty  -       -       -       -       2025-01-06 18:31:51.853010 UTC    Disabled

0x8cdf871c0000 2124    2124    1       crond   -       -       -       -       2025-01-06 18:31:51.858122 UTC    Disabled

0x8cdf87554000 2506    2506    1881    ssm-agent-worke -       -       -       -        2025-01-06 18:31:52.972018 UTC Disabled

0x8cdfc9014000 13916   13916   1       agentid-service -       -       -       -        2025-01-06 18:39:57.994046 UTC Disabled

0x8ce02321c000 17987   17987   1       systemd -       -       -       -       2025-01-06 18:54:14.215331 UTC    Disabled

0x8cdfc2cd4000 17990   17990   17987   (sd-pam)       -       -       -       -        2025-01-06 18:54:14.233150 UTC Disabled

0x8cdffdb90000 18031   18031   2       xfs-buf/nvme2n1 -       -       -       -        2025-01-06 18:54:15.498038 UTC Disabled

0x8ce0232fc000 18032   18032   2       xfs-conv/nvme2n -       -       -       -        2025-01-06 18:54:15.498094 UTC Disabled

0x8ce0677dc000 18033   18033   2       xfs-cil/nvme2n1 -       -       -       -        2025-01-06 18:54:15.498145 UTC Disabled

0x8ce03bdb8000 18034   18034   2       xfs-reclaim/nvm -       -       -       -        2025-01-06 18:54:15.498210 UTC Disabled

0x8ce008350000 18035   18035   2       xfs-blockgc/nvm -       -       -       -        2025-01-06 18:54:15.498254 UTC Disabled

0x8ce03bfe4000 18036   18036   2       xfs-log/nvme2n1 -       -       -       -        2025-01-06 18:54:15.500968 UTC Disabled

0x8cdfebeec000 18037   18037   2       xfsaild/nvme2n1 -       -       -       -        2025-01-06 18:54:15.501111 UTC Disabled

0x8ce07ef9c000 18658   18658   1       rhcd    -       -       -       -       2025-01-06 18:55:37.895128 UTC    Disabled

0x8ce024c78000 18667   18667   18658   rhc-package-man -       -       -       -        2025-01-06 18:55:38.090402 UTC Disabled

0x8ce12cb20000 78709   78709   1       irtest.sh      -       -       -       -        2025-01-06 19:51:23.755930 UTC Disabled

0x8ce023308000 199347  199347  1802    pickup  89      89      89      89      2025-01-06 21:51:00.748263 UTC    Disabled

0x8ce0d2d70000 237929  237929  2       kworker/u8:0   -       -       -       -        2025-01-06 22:25:31.035089 UTC Disabled

0x8cdf84794000 262467  262467  2       kworker/1:7    -       -       -       -        2025-01-06 22:45:40.034260 UTC Disabled

0x8cdfb14fc000 262469  262469  2       kworker/1:9    -       -       -       -        2025-01-06 22:45:40.045083 UTC Disabled

0x8ce0674c4000 264766  264766  2       kworker/2:3    -       -       -       -        2025-01-06 22:47:27.286901 UTC Disabled

0x8cdf879ec000 277395  277395  2       kworker/2:12   -       -       -       -        2025-01-06 22:57:05.761563 UTC Disabled

0x8ce0d539c000 280907  280907  2       kworker/3:11   -       -       -       -        2025-01-06 23:00:42.229374 UTC Disabled

0x8cdf893d8000 282445  282445  2       kworker/u8:2   -       -       -       -        2025-01-06 23:01:17.929145 UTC Disabled

0x8cdf84844000 288026  288026  2       kworker/0:12   -       -       -       -        2025-01-06 23:05:46.778254 UTC Disabled

0x8ce008210000 289205  289205  2       kworker/0:13   -       -       -       -        2025-01-06 23:07:00.555337 UTC Disabled

0x8cdf83d8c000 289533  289533  2       kworker/3:0    -       -       -       -        2025-01-06 23:07:16.299211 UTC Disabled

0x8ce1ef0c0000 303323  303323  2       kworker/0:15   -       -       -       -        2025-01-06 23:10:06.945403 UTC Disabled

0x8ce1ed798000 305087  305087  2       kworker/1:0    -       -       -       -        2025-01-06 23:11:14.387107 UTC Disabled

0x8cdf89608000 305837  305837  2       kworker/u8:3   -       -       -       -        2025-01-06 23:11:57.518051 UTC Disabled

0x8ce0c1b84000 307972  307972  2       kworker/2:2    -       -       -       -        2025-01-06 23:13:54.773159 UTC Disabled

0x8ce1ed628000 310723  310723  2       kworker/1:1    -       -       -       -        2025-01-06 23:16:46.084097 UTC Disabled

0x8ce1ef00c000 313525  313525  2       kworker/3:2    -       -       -       -        2025-01-06 23:19:09.501107 UTC Disabled

0x8ce0c1a54000 313744  313744  2       kworker/1:2    -       -       -       -        2025-01-06 23:19:25.053070 UTC Disabled

0x8cdf84414000 314403  314403  2       kworker/u8:1   -       -       -       -        2025-01-06 23:19:53.134065 UTC Disabled

0x8ce1ef094000 314870  314870  2       kworker/1:3    -       -       -       -        2025-01-06 23:20:18.974955 UTC Disabled

0x8ce0c1bf8000 315659  315659  2       kworker/2:0    -       -       -       -        2025-01-06 23:21:12.570267 UTC Disabled

0x8ce1ed788000 315660  315660  2       kworker/2:1    -       -       -       -        2025-01-06 23:21:12.579123 UTC Disabled

0x8ce0c1b40000 318890  318890  2       kworker/2:4    -       -       -       -        2025-01-06 23:24:25.272087 UTC Disabled

0x8ce040894000 319010  319010  2       kworker/3:1    -       -       -       -        2025-01-06 23:24:26.561364 UTC Disabled

0x8ce0c1aac000 319201  319201  2       kworker/1:4    -       -       -       -        2025-01-06 23:24:42.614881 UTC Disabled

0x8ce0c1ac8000 319406  319406  2       kworker/2:5    -       -       -       -        2025-01-06 23:24:44.286116 UTC Disabled

0x8ce0c1b80000 319659  319659  2       kworker/2:6    -       -       -       -        2025-01-06 23:25:01.478366 UTC Disabled

0x8ce1ed794000 320078  320078  2       kworker/2:7    -       -       -       -        2025-01-06 23:25:19.602502 UTC Disabled

0x8ce0c1a5c000 321906  321906  2       kworker/3:3    -       -       -       -        2025-01-06 23:26:47.804082 UTC Disabled

0x8ce1ed6ec000 322138  322138  2       kworker/1:5    -       -       -       -        2025-01-06 23:26:50.454574 UTC Disabled

0x8ce0c1a70000 322168  322168  2       kworker/2:8    -       -       -       -        2025-01-06 23:26:50.774333 UTC Disabled

0x8ce1ed7ac000 323018  323018  2       kworker/0:0    -       -       -       -        2025-01-06 23:27:55.803061 UTC Disabled

0x8ce0c1ba4000 323476  323476  2       kworker/2:9    -       -       -       -        2025-01-06 23:28:15.676303 UTC Disabled

0x8cdf8764c000 324283  324283  2       kworker/3:4    -       -       -       -        2025-01-06 23:28:36.982720 UTC Disabled

0x8ce1ed6b0000 324332  324332  78709   avml    -       -       -       -       2025-01-06 23:28:39.059453 UTC    Disabled

0x8ce1ed790000 324480  324480  2       kworker/1:6    -       -       -       -        2025-01-06 23:28:49.676052 UTC Disabled

0x8ce1ed6a0000 324481  324481  2       kworker/1:8    -       -       -       -        2025-01-06 23:28:49.688066 UTC Disabled

0x8ce067478000 324511  324511  2       kworker/u8:4   -       -       -       -        2025-01-06 23:28:55.832057 UTC Disabled

0x8ce1ef1e4000 -29473  -2016868776    0       ũ�O#�i  -       -       -       -        2025-01-06 18:31:30.000000 UTC Disabled

0x8cdf86bb41f8 -29473  -2034548040    0       �=·ߌ���C��ߌ��   3506438028     3750148940        16777100       -       2025-01-06 18:31:30.000000 UTC Disabled

 

DEBUG    volatility3.cli: Traceback (most recent call last):

  File "/ir/volatility3-develop/volatility3/cli/__init__.py", line 501, in run

    renderer.render(grid)

  File "/ir/volatility3-develop/volatility3/cli/text_renderer.py", line 232, in render

    grid.populate(visitor, outfd)

  File "/ir/volatility3-develop/volatility3/framework/renderers/__init__.py", line 240, in populate

    for level, item in self._generator:

  File "/ir/volatility3-develop/volatility3/framework/plugins/linux/pslist.py", line 213, in _generator

    task_fields = self.get_task_fields(task, decorate_comm)

  File "/ir/volatility3-develop/volatility3/framework/plugins/linux/pslist.py", line 114, in get_task_fields

    name = utility.array_to_string(task.comm)

  File "/ir/volatility3-develop/volatility3/framework/objects/utility.py", line 41, in array_to_string

    return array.cast("string", max_length=count, errors=errors)

  File "/ir/volatility3-develop/volatility3/framework/interfaces/objects.py", line 189, in cast

    return object_template(context=self._context, object_info=object_info)

  File "/ir/volatility3-develop/volatility3/framework/objects/templates.py", line 96, in __call__

    return self.vol.object_class(

  File "/ir/volatility3-develop/volatility3/framework/objects/__init__.py", line 352, in __new__

    cls._unmarshall(

  File "/ir/volatility3-develop/volatility3/framework/objects/__init__.py", line 202, in _unmarshall

    data = context.layers.read(

  File "/ir/volatility3-develop/volatility3/framework/interfaces/layers.py", line 635, in read

    return self[layer].read(offset, length, pad)

  File "/ir/volatility3-develop/volatility3/framework/layers/linear.py", line 45, in read

    for offset, _, mapped_offset, mapped_length, layer in self.mapping(

  File "/ir/volatility3-develop/volatility3/framework/layers/intel.py", line 302, in mapping

    for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(

  File "/ir/volatility3-develop/volatility3/framework/layers/intel.py", line 358, in _mapping

    chunk_offset, page_size, layer_name = self._translate(offset)

  File "/ir/volatility3-develop/volatility3/framework/layers/intel.py", line 162, in _translate

    entry, position = self._translate_entry(offset)

  File "/ir/volatility3-develop/volatility3/framework/layers/intel.py", line 210, in _translate_entry

    raise exceptions.PagedInvalidAddressException(

volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page directory pointer

 

Volatility was unable to read a requested page:

Page error 0x7f9aa14b62e0 in layer layer_name (Page Fault at entry 0x0 in table page directory pointer)

 

        * Memory smear during acquisition (try re-acquiring if possible)

        * An intentionally invalid page lookup (operating system protection)

        * A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

 

No further results will be produced

atcuno · 2025-01-08T15:54:55Z

Thank you for the updated information. The pslist crash will be fixed by #1518

psaux will get its own pull request this week to fix it. I will close this ticket once both fixes are merged

ikelos · 2025-01-19T16:16:23Z

So the #1518 equivalent #1542 was merged, does that mean this is fixed @atcuno ?

atcuno · 2025-01-19T17:07:07Z

The second issue reported here with the UnicodeDecodeError still needs to be fixed. A ticket hasn't been made yet as we are working on a way to auto-find other lines of code in all plugins where it could happen and without exception handling present.

Brian-Guenther · 2025-01-22T18:26:00Z

Hello,

We have validated with the latest dev branch and found that the pslist plugin is no longer crashing! Appreciate the updates that resolved this.

However, now we are seeing some memory acquisitions that show ~75% less processes than a memory acquisition taken a minute earlier.

We understand that the number of processes shown will fluctuate, but are curious: How can we validate that a memory capture is "complete" from a volatility3 perspective.

We are running AVML and volatility3 as a part of automation, and would like to be able to evaluate memory acquisition completeness.

For example, if a memory sample has 50% of the total processes in a smeared state that is unreadable by volatility3 plugins, we would want the automation to take a new capture.

Is there a way to validate the amount of smearing or unreadable tasks detected in a pslist run?

atcuno · 2025-01-22T21:19:08Z

Are you comfortable with changing to previous commits instead of just branches? If so, for the samples losing that many processes (from pslist I assume), can you checkout the code base before this commit:

6817d2c

And 1) see how many processes come back 2) if they actually look valid.

atcuno added the parity-release label Jan 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Intermittent errors with linux plugins (~50% of memory acquisitions from the same machine have errors) #1534

Intermittent errors with linux plugins (~50% of memory acquisitions from the same machine have errors) #1534

Brian-Guenther commented Jan 8, 2025

atcuno commented Jan 8, 2025

Brian-Guenther commented Jan 8, 2025

Brian-Guenther commented Jan 8, 2025

atcuno commented Jan 8, 2025

ikelos commented Jan 19, 2025

atcuno commented Jan 19, 2025

Brian-Guenther commented Jan 22, 2025

atcuno commented Jan 22, 2025

Intermittent errors with linux plugins (~50% of memory acquisitions from the same machine have errors) #1534

Intermittent errors with linux plugins (~50% of memory acquisitions from the same machine have errors) #1534

Comments

Brian-Guenther commented Jan 8, 2025

atcuno commented Jan 8, 2025

Brian-Guenther commented Jan 8, 2025

Brian-Guenther commented Jan 8, 2025

atcuno commented Jan 8, 2025

ikelos commented Jan 19, 2025

atcuno commented Jan 19, 2025

Brian-Guenther commented Jan 22, 2025

atcuno commented Jan 22, 2025