Unable to validate the plugin requirements: ['plugins.PsList.kernel']

[dilzor28]

I have been trying to test out volatility3 in an EC2 instance, however it doesn't seem to recognize the custom built profile I have made. I used ./dwarf2json linux --system-map [path_to]/System.Map-xxx.x86_64 > LinuxVersion.json and added it to both volatility3/volatility3/symbols and volatility3/volatility3/framework/symbols/linux. Here is the output for banners as well as isfinfo. It should be noted that the same host that took the lime memory dump is the one doing the analysis, so they are the exact same version of Linux.

I am fairly new to building custom linux profiles so it is possible that I ran into an error somewhere in the creation process. I tried grepping the json output of dwarf2json for the profile listed in banners and it shows the following:

"metadata": {
    "linux": {
      "symbols": [
        {
          "kind": "system-map",
          "name": "System.map-4.14.256-197.484.amzn2.x86_64",
          "hash_type": "sha256",
          "hash_value": "a2ab538f52ba173598e13501fe92f9ddef154bf549b768489fe3f77d0f9da2f8"
        }
      ]
    }

banners

isfinfo

output of command python3 vol.py -f Linux64.mem -vvvv linux.pslist.PsList:

Volatility 3 Framework 2.0.0
INFO     volatility3.cli: Volatility plugins path: ['/root/volatility3/volatility3/plugins', '/root/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/root/volatility3/volatility3/symbols', '/root/volatility3/volatility3/framework/symbols']
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /root/volatility3/volatility3/framework/plugins/yarascan.py
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /root/volatility3/volatility3/framework/plugins/windows/cachedump.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.callbacks based on file: /root/volatility3/volatility3/framework/plugins/windows/callbacks.py
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /root/volatility3/volatility3/framework/plugins/windows/hashdump.py
DEBUG    volatility3.framework: No module named 'Crypto'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /root/volatility3/volatility3/framework/plugins/windows/lsadump.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /root/volatility3/volatility3/framework/plugins/windows/mftscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /root/volatility3/volatility3/framework/plugins/windows/svcscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: No module named 'yara'
DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /root/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO     volatility3.framework.automagic: Running automagic: SymbolBannerCache
INFO     volatility3.framework.automagic: Running automagic: LinuxBannerCache
INFO     volatility3.framework.automagic.symbol_cache: Building linux caches...
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Stacked LimeLayer using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: No suitable linux banner could be matched
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: LimeLayer
Level 9  volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['LimeLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
INFO     volatility3.framework.automagic: Running automagic: KernelModule
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel

Unsatisfied requirement plugins.PsList.kernel: Linux kernel
Unable to validate the plugin requirements: ['plugins.PsList.kernel']

[ikelos]

Thanks for the report, your screenshots show that the banner listed under the output from the banners plugin, doesn't match the banner from the isfinfo plugin. The JSON file you created suggests there are 0 base_types and 0 types, but 75376 symbols and that there is no banner present. Further the metadata section of the file you sent suggests that only System.map was used to create the JSON file (which fits, since that only contains symbols, not types, and does not contain the banner, which is why no banner is listed).

You'll need to get the exact debug kernel (not the normal kernel, the debug one, which is usually in a separate package, for red hat I believe it's called kernel-debug). There should be a 500-700 mb kernel file, which you can pass to dwarf2json with the --elf parameter (rather than --symbol-map, although you can provide that also if you'd like). Once you've done this the JSON file should contain the necessary information (and the isfinfo plugin should give different values).

I'm going to mark this as closed, since it's not really a bug in volatility, however if you need more support this kind of question is probably better handled interactively on our slack channels.