You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to do some memory analysis on an embedded Linux system. Due to storage constraints there is no /lib/modules/version/build available, but I do have the kernel configuration file and system map, so what I've done is download the kernel source from kernel.org and build that using the kernel configuration file from the embedded system. Then, in tools/linux/ execute
make -C ${KP} CONFIG_DEBUG_INFO=y M="$PWD" modules
dwarfdump -di module.ko >module.dwarf
where ${KP} is the path to the kernel build directory. Then package module.dwarf and the system map from the running system into a zip archive and copy that to volatility/plugins/overlays/linux/. This seems to work OK, or at least I see my profile in the --info list. But when I try to use the profile with a LiME image and the linux_pslist command, I get errors like this:
(lots of messages about missing Crypto.Hash and distorm3 plugins)
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure vm_area_struct not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure sockaddr_un not present in vtypes
WARNING : volatility.debug : Overlay structure hlist_head not present in vtypes
WARNING : volatility.debug : Overlay structure task_struct not present in vtypes
WARNING : volatility.debug : Overlay structure dentry not present in vtypes
WARNING : volatility.debug : Overlay structure net_device not present in vtypes
WARNING : volatility.debug : Overlay structure super_block not present in vtypes
WARNING : volatility.debug : Overlay structure in_ifaddr not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure vm_area_struct not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure sockaddr_un not present in vtypes
WARNING : volatility.debug : Overlay structure hlist_head not present in vtypes
WARNING : volatility.debug : Overlay structure task_struct not present in vtypes
WARNING : volatility.debug : Overlay structure dentry not present in vtypes
WARNING : volatility.debug : Overlay structure net_device not present in vtypes
WARNING : volatility.debug : Overlay structure super_block not present in vtypes
WARNING : volatility.debug : Overlay structure in_ifaddr not present in vtypes
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
and all the other address space modules also report no base address. Originally I thought the problem might be my LiME module (the embedded system has no build tools, so I had to follow a similar process to build the LiME kernel module), but the WARNING messages about being unable to find this or that kernel data structure makes me wonder if the problem is in my profile? I wondered if anyone had some ideas/hints?
The text was updated successfully, but these errors were encountered:
I'm trying to do some memory analysis on an embedded Linux system. Due to storage constraints there is no /lib/modules/version/build available, but I do have the kernel configuration file and system map, so what I've done is download the kernel source from kernel.org and build that using the kernel configuration file from the embedded system. Then, in tools/linux/ execute
where ${KP} is the path to the kernel build directory. Then package module.dwarf and the system map from the running system into a zip archive and copy that to volatility/plugins/overlays/linux/. This seems to work OK, or at least I see my profile in the --info list. But when I try to use the profile with a LiME image and the linux_pslist command, I get errors like this:
and all the other address space modules also report no base address. Originally I thought the problem might be my LiME module (the embedded system has no build tools, so I had to follow a similar process to build the LiME kernel module), but the WARNING messages about being unable to find this or that kernel data structure makes me wonder if the problem is in my profile? I wondered if anyone had some ideas/hints?
The text was updated successfully, but these errors were encountered: