8:46 a.m.
Thanks again Andrew for the assistance and for the Makefile. So here a
brief summary for creating the Android profile, following the linux
example here (https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
):
DISCLAIMER: I'm using a Mac OS X system.
- I modified the Makefile sent by Andrew, placed under
volatility/tools/linux/Makefile, adding the options for cross-compiling as
from the LiME kernel module. Basically the modifications are the following:
CCPATH :=
/path/to/android-ndk/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin
dwarf: module.c
$(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR)
CONFIG_DEBUG_INFO=y M=$(PWD) modules
- The last instruction of the makefile "dwarfdump -di module.ko >
module.dwarf" was originally with -di option. But -d appears to be not a
valid option anymore. Checking the man page, the alternatives for debugging
options are the following
--debug-abbrev, --debug-aranges, --debug-frame[=OFFSET],
--debug-info[=OFFSET], --debug-inlined, --debug-line[=OFFSET],
--debug-macinfo[=OFFSET], --debug-pubnames[=PATTERN],
--debug-pubtypes[=PATTERN], --debug-str
debug-info is the default (which looking at the output of "head
module.dwarf" seems to be the correct one), so i tried just to remove the
-d and also to put --debug-info without any offset value, but this is what
I get as content of the module.dwarf file
hydra:linux paco$ cat module.dwarf
----------------------------------------------------------------------
File: module.ko (arm)
----------------------------------------------------------------------
.debug_info contents:
< EMPTY >
- The last step to make the profile is to zip the module.dwarf file and the
System.map of the kernel. After searching around, I found that System.map
file for android is /proc/kallsyms (probably you all already knew it, but I
didn't know this :) ).
Attached the make file I used, if all the rest of the steps I did are
right, it's missing the right debug option for the dwarfdump command. I've
tried also the others but no one seems to give the right output. Any tips
on this?
Thanks
P.
On Fri, Feb 15, 2013 at 5:41 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Hello,
We are currently testing a stripped down Makefile to help people
compiling for different kernels than the one for the system they are
on (which includes Android). Can you please try the attached makefile?
You will need to change the KDIR varabile to point to your kernel
headers or source.
On Fri, Feb 15, 2013 at 5:55 AM, Pasquale Stirparo <pstirparo(a)gmail.com>
wrote:
--
Pasquale Stirparo, MEng
GCFA, OPST, OWSE, ECCE
European Commission - JRC Joint Research Centre
Institute for the Protection and Security of the Citizen (IPSC)
Digital Citizen Security Unit
Via E. Fermi, 2749 - TP 361
21027 Ispra (VA) - Italy
PGP Key: 0x4C589FB2
Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
Disclaimer: The views expressed are purely those of the writer and may not
in any circumstance be regarded as stating an official position of the
European Commission.
Hi All,
I'm trying to make a profile for android device.
I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC Sense
4.0,
kernel 2.6.39.4-g6b459dc).
Now, following the instruction here
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I was
trying to understand how to modify the makefile under
volatility/tools/linux/ , in order to point to my kernel source. The
thing
is that in from my kernel source folder I
couldn't find a proper value
for
KDIR and KVER (although they should be pretty
straightforward according
to
their name) that would fit with the path for make
command as from the
following source code:
pmem: pmem.c
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules
dwarf: module.c
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y
M=$(PWD) modules
dwarfdump -di module.ko > module.dwarf
$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean
Did anyone ever created an android profile? Any hint?
I've seen in the mailing list archive a thread "Profile (ZIP) for Android
4.0.3" from Mike (in Cc), any news about that?
Thank you
P.
--
Pasquale Stirparo, MEng
GCFA, OPST, OWSE, ECCE
European Commission - JRC Joint Research Centre
Institute for the Protection and Security of the Citizen (IPSC)
Digital Citizen Security Unit
Via E. Fermi, 2749 - TP 361
21027 Ispra (VA) - Italy
PGP Key: 0x4C589FB2
Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
Disclaimer: The views expressed are purely those of the writer and may
not
in any circumstance be regarded as stating an
official position of the
European Commission.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users