For science, I am trying to use Volatility 3 to analyze a mac memory capture file. However, I am having trouble creating a symbol table so that Volatility can read my mac memory file. I used Surge tool for capture my personal macbook. I have high confidence that the memory capture isn't the problem. I followed this Volatility 3 documentation to create the mac symbol table, but I haven't had any luck.

Here are the steps that I have done:

1. Ran strings and grep for "Darwin Kernel Version"

strings ./memory/data.lime | grep -i "Darwin Kernel Version"

Darwin Kernel Version 24.3.0: Thu Jan  2 20:22:00 PST 2025; root:xnu-11215.81.4~3/RELEASE_X86_64

Platform: macOS 15.3.1 24D70 (Sequoia) Darwin Kernel Version 24.3.0: Thu Jan  2 20:22:00 PST 2025; root:xnu-11215.81.4~3/RELEASE_X86

Platform: macOS 15.3.1 24D70 (Sequoia) Darwin Kernel Version 24.3.0: Thu Jan  2 20:22:00 PST 2025; root:xnu-11215.81.4~3/RELEASE_X86_64

2. Ran volatility banners.Banners plugin to confirm

python vol.py -f ./memory/data.lime banners.Banners

Darwin Kernel Version 24.3.0: Thu Jan  2 20:22:00 PST 2025; root:xnu-11215.81.4~3/RELEASE_X86_64

3. Downloaded Kernel Development Kit 15.3.1 build 24D70 from Apple Developer website.

4. Installed the KernelDebugKit.pkg from the downloaded dmg file.

5. Cloned dwarf2json from github to my local laptop and ran go build to create dwarf2json binary

git clone https://github.com/volatilityfoundation/dwarf2json

cd dwarf2json

go build

6. Ran dwarf2json to create .json file for the Volatility mac symbols folder

./dwarf2json mac --macho /Library/Developer/KDKs/KDK_15.3.1_24D70.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel > Kernel_Debug_Kit_15.3.1_build_24D70.dmg.json

7. Opened the new json file in Sublime, find "constant_data" field, and switched out the default base64 value here with the string "Darwin Kernel Version 24.3.0: Thu Jan  2 20:22:00 PST 2025; root:xnu-11215.81.4~3/RELEASE_X86_64" in base64.

echo "Darwin Kernel Version 24.3.0: Thu Jan  2 20:22:00 PST 2025; root:xnu-11215.81.4~3/RELEASE_X86_64" | base64

RGFyd2luIEtlcm5lbCBWZXJzaW9uIDI0LjMuMDogVGh1IEphbiAgMiAyMDoyMjowMCBQU1QgMjAyNTsgcm9vdDp4bnUtMTEyMTUuODEuNH4zL1JFTEVBU0VfWDg2XzY0Cg=

8. I used xz to compress the Kernel_Debug_Kit_15.3.1_build_24D70.dmg.json, and then I placed it in the mac folder within the symbols parent folder.

xz -z -v Kernel_Debug_Kit_15.3.1_build_24D70.dmg.json

9. Ran volatility with mac.pslist.PsList plugin against my memory capture.

python vol.py -f ./memory/data.lime --symbol-dirs /Users/<my-user>/tools/volatility3-2.26.0/volatility3/symbols/mac mac.pslist.PsList

I am still not getting desired output, it looks like it is not recognizing the kernel.symbol_table_name and the kernel.layer_name

Volatility 3 Framework 2.26.0

Progress:  100.00 Stacking attempts finished                 

Unsatisfied requirement plugins.PsList.kernel.layer_name: 

Unsatisfied requirement plugins.PsList.kernel.symbol_table_name: 

A translation layer requirement was not fulfilled.  Please verify that:

A file was provided to create this layer (by -f, --single-location or by config)

The file exists and is readable

The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:

The associated translation layer requirement was fulfilled

You have the correct symbol file for the requirement

The symbol file is under the correct directory or zip file

The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.PsList.kernel.layer_name', 'plugins.PsList.kernel.symbol_table_name']

Has anybody have any success creating symbol tables? I found this github post, but I didn't have the same success.