A similar project for Volatility2 profiles is available here : https://github.com/Abyss-W4tcher/volatility2-profiles
EZ Volatility install script : https://github.com/Abyss-W4tcher/volatility-scripts/tree/master/vol_ez_install
| Distribution | Path | Symbols | Example |
|---|---|---|---|
| Ubuntu | Ubuntu/<architecture>/<base-kernel-version>/<ABI>/<kernel-flavour>/ | Ubuntu_<kernel-version>_<package-revision>_<architecture>.json.xz | Ubuntu/amd64/4.4.0/22/generic/Ubuntu_4.4.0-22-generic_4.4.0-22.40~14.04.1_amd64.json.xz |
| Debian | Debian/<architecture>/<base-kernel-version>/<ABI>/<kernel-flavour>/ | Debian_<kernel-version>_<package-revision>_<architecture>.json.xz | Debian/amd64/3.1.0/1/Debian_3.1.0-1-amd64_3.1.1-1_amd64.json.xz |
| KaliLinux | KaliLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/ | KaliLinux_<kernel-version>_<package-revision>_<architecture>.json.xz | KaliLinux/amd64/5.2.0/KaliLinux_5.2.0-kali2-amd64_5.2.9-2kali1_amd64.json.xz |
| AlmaLinux | AlmaLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/ | AlmaLinux_<kernel-version>_<architecture>.json.xz | AlmaLinux/x86_64/4.18.0/AlmaLinux_4.18.0-477.13.1.el8_8_x86_64.json.xz |
| RockyLinux | RockyLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/ | RockyLinux_<kernel-version>_<architecture>.json.xz | RockyLinux/x86_64/4.18.0/RockyLinux_4.18.0-477.10.1.el8_8_x86_64.json.xz |
| macOS | macOS/<version-prefixed>/ | macOS_KDK_<macOS-version>_build-<build>_<arch-if-mach-kernel>.json.xz | macOS/14.0/macOS_KDK_14.0_build-23A5257q.json.xz |
Place every compressed symbol file you plan to use inside your [volatility3_installation]/volatility3/symbols/linux/ directory (create it if needed).
Explore the "banners/banners_plain.json" file to match banners and symbols quickly.
- Some distributions are missing, do you plan to add them anytime soon ?
Adding a new distribution is not particularly an issue, and I'd like to include as much as I can. However, I do not want to push the repository size too far, to avoid a potential removal by GitHub.
-
Why can't I locate symbols for a particular subversion of a listed distribution ?
- Ubuntu : It appears that debug symbols for pre-release and test kernels aren't automatically generated along the kernel source code, in Ubuntu ddebs mirror. You might want to take a look at the Canonical Kernel Team PPA, for non-stable kernels. Check out issue #27 for an example.
Due to missing dependencies, some kernels specific versions may not be available here.
Kernel debug symbols for macOS are fetched from : https://developer.apple.com/download/all. However, as Apple does not provide every build, some versions aren't available in this repository. Here are some discussions about it :
Volatility3 provides a new feature allowing users to specify a remote symbols source to be queried when analyzing a memory dump. To test this feature in your local installation, run the following commands :
VOLATILITY3_PATH=/path/to/volatility3_install/ # Edit accordingly
sed -i 's@REMOTE_ISF_URL = None@REMOTE_ISF_URL = "https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json"@g' "$VOLATILITY3_PATH/volatility3/framework/constants/__init__.py"
