Need to add support for pages with PROT_NONE permissions

[gleeda]

The _PAGE_PRESENT bit is cleared when mprotect(...PROT_NONE) is called on a page, therefore it is missed.

See: https://volatility-labs.blogspot.com/2015/05/using-mprotect-protnone-on-linux.html

[ikelos]

Just to keep everything in one place, I'd recommend a LinuxMixin (that follows the same procedures as the WindowsMixin, including subclasses with Intel and the LinuxMixin) and then update the LintelStacker class to use those classes instead of the stock Intel ones...

[gleeda]

Just a note that I'm hoping we'll have a resolution to the unnamed_field issue soon. It is currently a potential blocker for verifying this issue: #151

[ikelos]

#151 has been resolved, so hopefully this can keep moving forward?

[gleeda]

I'm still having issues getting dwarf2json profiles to work with this version of Kali for some reason :-/

Volatility 3 Framework 1.0.0-beta.1
INFO     root        : Volatility plugins path: ['/Users/gleeda/Work/DEV/volatility3/volatility/plugins', '/Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins']
INFO     root        : Volatility symbols path: ['/Users/gleeda/Work/DEV/volatility3/volatility/symbols', '/Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols']
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.yarascan based on file: yarascan
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.svcscan based on file: windows/svcscan
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.vadyarascan based on file: windows/vadyarascan
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.callbacks based on file: windows/callbacks
INFO     volatility.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'pefile'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.verinfo based on file: windows/verinfo
INFO     root        : The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.callbacks, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
INFO     volatility.framework.automagic: Detected a linux category plugin
INFO     volatility.framework.automagic: Running automagic: LinuxBannerCache
INFO     volatility.framework.automagic.symbol_cache: Building linux caches...
INFO     volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.vmlinux
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
INFO     volatility.framework.automagic: Running automagic: LayerStacker
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
DEBUG    volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO     volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG    volatility.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO     volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux

Unsatisfied requirement plugins.Maps.primary: Memory layer for the kernel
Unsatisfied requirement plugins.Maps.vmlinux: Linux kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
	You have the correct symbol file for the requirement
	The symbol file is under the correct directory or zip file
	The symbol file is named appropriately or contains the correct banner


A translation layer requirement was not fulfilled.  Please verify that:
	A file was provided to create this layer (by -f, --single-location or by config)
	The file exists and is readable
	The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.Maps.primary', 'plugins.Maps.vmlinux']```

[gleeda]

When running it on a different copy of memory from the same machine, I get a little bit further:

INFO     root        : Volatility symbols path: ['/Users/gleeda/Work/DEV/volatility3/volatility/symbols', '/Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols']
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/plugins, /Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.yarascan based on file: yarascan
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.svcscan based on file: windows/svcscan
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.vadyarascan based on file: windows/vadyarascan
INFO     volatility.plugins.yarascan: Python Yara module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'yara'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.callbacks based on file: windows/callbacks
INFO     volatility.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility.framework: No module named 'pefile'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.verinfo based on file: windows/verinfo
INFO     root        : The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.callbacks, volatility.plugins.windows.svcscan, volatility.plugins.windows.vadyarascan, volatility.plugins.windows.verinfo, volatility.plugins.yarascan
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/automagic
Level 7  root        : Cache directory used: /Users/gleeda/.cache/volatility3
INFO     volatility.framework.automagic: Detected a linux category plugin
INFO     volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6  volatility.framework.symbols.intermed: Searching for symbols in /Users/gleeda/Work/DEV/volatility3/volatility/symbols, /Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols
INFO     volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO     volatility.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.vmlinux
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
INFO     volatility.framework.automagic: Running automagic: LayerStacker
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 8  volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility.framework.layers.elf: Exception: Bad magic 0xf000ff53 at file offset 0x0
Level 8  volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG    volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Level 8  volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
INFO     volatility.framework.automagic.mac: No Mac banners found - if this is a mac plugin, please check your symbol files location
Level 8  volatility.framework.automagic.stacker: Attempting to stack using LintelStacker
DEBUG    volatility.framework.automagic.linux: Identified banner: b'Linux version 5.3.0-kali2-amd64 (devel@kali.org) (gcc version 9.2.1 20191102 (Debian 9.2.1-17)) #1 SMP Debian 5.3.9-1kali1 (2019-11-11)\n\x00'
INFO     volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility.schemas: All validations will report success, even with malformed input
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!s_pstats
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!s_stats
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!mpls_route
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!ebt_table
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!dn_dev
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!garp_port
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!mrp_port
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!phy_led_trigger
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG    volatility.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG    volatility.framework.automagic.linux: Linux ASLR shift values determined: physical 77a00000 virtual 35e00000
DEBUG    volatility.framework.automagic.linux: DTB was found at: 0x79a0a000
Level 8  volatility.framework.automagic.stacker: Stacked IntelLayer using LintelStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Maps.primary.memory_layer
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps.vmlinux
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Maps
Level 6  volatility.framework: Importing from the following paths: /Users/gleeda/Work/DEV/volatility3/volatility/framework/layers
DEBUG    volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Maps.vmlinux
DEBUG    volatility.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.3.0-kali2-amd64 (devel@kali.org) (gcc version 9.2.1 20191102 (Debian 9.2.1-17)) #1 SMP Debian 5.3.9-1kali1 (2019-11-11)\n\x00'
DEBUG    volatility.framework.automagic.symbol_finder: Using symbol library: file:///Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols/linux/kali.json
INFO     volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility.schemas: All validations will report success, even with malformed input

PID	Process	Start	End	Flags	PgOff	Major	Minor	Inode	File Path
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!netns_ipvs
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!mtd_info
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!s_pstats
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!can_dev_rcv_lists
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!s_stats
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!mpls_route
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!sctp_mib
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!ebt_table
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!dn_dev
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!garp_port
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!mpls_dev
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!mrp_port
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!sfp_bus
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!tipc_bearer
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!assoc_array_ptr
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!pcpu_dstats
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_conn
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_cached_keys
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_cqm_config
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!cfg80211_internal_bss
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!phy_led_trigger
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!phylink
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!libipw_device
DEBUG    volatility.framework.symbols: Unresolved reference: vmlinux1!reset_control


DEBUG    root        : Traceback (most recent call last):
  File "/Users/gleeda/Work/DEV/volatility3/volatility/cli/__init__.py", line 292, in run
    renderers[args.renderer]().render(constructed.run())
  File "/Users/gleeda/Work/DEV/volatility3/volatility/cli/text_renderer.py", line 163, in render
    grid.populate(visitor, outfd)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
    for (level, item) in self._generator:
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins/linux/proc.py", line 30, in _generator
    for task in tasks:
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/plugins/linux/pslist.py", line 82, in list_tasks
    for task in init_task.tasks:
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/symbols/linux/extensions/__init__.py", line 293, in to_list
    link = getattr(self, direction).dereference()
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/__init__.py", line 707, in __getattr__
    member = template(context = self._context, object_info = object_info)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/templates.py", line 72, in __call__
    return self.vol.object_class(context = context, object_info = object_info, **arguments)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/__init__.py", line 120, in __new__
    value = cls._unmarshall(context, data_format, object_info)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/objects/__init__.py", line 304, in _unmarshall
    data = context.layers.read(object_info.layer_name, object_info.offset, length)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/interfaces/layers.py", line 540, in read
    return self[layer].read(offset, length, pad)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/linear.py", line 38, in read
    for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/intel.py", line 197, in mapping
    chunk_offset, page_size, layer_name = self._translate(offset)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/intel.py", line 99, in _translate
    entry, position = self._translate_entry(offset)
  File "/Users/gleeda/Work/DEV/volatility3/volatility/framework/layers/intel.py", line 125, in _translate_entry
    "Page Fault at entry " + hex(entry) + " in table " + name)
volatility.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page table

Volatility was unable to read a requested page:
Page error 0xffff82013b50 in layer primary (Page Fault at entry 0x0 in table page table)

	* Memory smear during acquisition (try re-acquiring if possible)
	* An intentionally invalid page lookup (operating system protection)
	* A bug in the plugin/volatility (re-run with -vvv and file a bug)

No further results will be produced```

[cstation]

Encountering the same errors as @gleeda is doing here. I've created an Ubuntu 20.04 VM (using VMware). Installed linux-image-$(uname -r)-dbgsym and generated a profile with dwarf2json. Created a snapshot of the VM and ran volatility3 on the .vmem-file of this snapshot.

Is there any progress on this issue?

[ikelos]

So given the #151 is complete, this still needs code writing for the LinuxMixin that will accept bit 0 as unset when bit 9 is set, which I think @gleeda offered to do since this is assigned to her. Happy to provide support and help with this, but if it needs the dwarf2json guys to help then let's bring them in...

[gleeda]

@gleeda Yes, sorry! I'll get it in here in a bit.

[gleeda]

Encountering the same errors as @gleeda is doing here. I've created an Ubuntu 20.04 VM (using VMware). Installed linux-image-$(uname -r)-dbgsym and generated a profile with dwarf2json. Created a snapshot of the VM and ran volatility3 on the .vmem-file of this snapshot.

Is there any progress on this issue?

I think the issue was due to #151 . If so, then maybe we need to have another look at it? @ikelos @cstation

[cstation]

@gleeda @ikelos I'm sorry if I caused any misunderstandings. I commented not because of the initial topic of the issue (The _PAGE_PRESENT bit is cleared when mprotect(...PROT_NONE) is called on a page), but because I encounter the same issues with getting the dwarf2json profiles to work, just like @gleeda encountered Page errors in her comments on 12 Jun 2020..

The issue of page errors is popping up more frequent, for example down in #215 or in #356. I do not know what exactly causes these errors, but since this issue is even encountered by Volatility Core Developers 😉, it is likely that it is not merely due to wrong usage of dwarf2json or volatility3.

Maybe it is due to an issue with dwarf2json (something like their Issue #25), but I'm missing the expertise to say anything meaningful about that.

[ikelos]

Ah, thanks for the clarification @cstation . Page errors occur when the page table (which modern systems use to make memory more manoeuvrable and easier to manage) maps to an address that doesn't exist. The error message tells you where in the table it failed, but unfortunately this kind of error can either be because volatility asks for something that doesn't exist, or asks for something that should exist but due to the memory image and how it was acquired, it does not.

The memory image can cause page errors for two reasons, either the format it's written in doesn't have all the information it needs (for instance, modern vmem files require a vmsn or vmss file with the same name to be in the same directory as them) or because whilst the memory was being acquired (which takes time) it changed (and the memory that had been mapped in one place changed where it lived.

In most cases, the underlying memory image isn't perfect, and there's not a great deal we can do about those, but in certain circumstances we do the wrong thing (either because we've never encountered it before, or we just made a mistake). In cases like that we'd need to dig into what was being done at the time, but a separate issue helps us keep track of everything that's going on.

In short, page errors are indicative that something went wrong, but the occurrence of a page error doesn't give us any clues as to exactly what went wrong. 5:S

[ikelos]

@gleeda did you regenerate the symbols after #151 (and its related changes in dwarf2json) were made? Without more information it's difficult to tell whether #151 is still an issue or not. I'm also not sure why the JSON affects how page mapping happens? I thought it was a modification to the IntelLayer?

[ikelos]

Sorry, just trying to keep on top of this. Any progress here @gleeda? Is this still a problem @cstation ?

[cstation]

This specific issue is not a problem for me anymore, since my problem was in the end related to how vmem-files were read. Nevertheless, the original issue posed by @gleeda could still be an unsolved bug.