Hi Andrew,

 

Thanks again for your reply.

I have manage to build the kernel, retrieve the System.map file and build a  profile with it.

However, volatility does not give any output nor error as can be seen below:

 

$ python vol.py --profile=LinuxprofileHtcOneV-IcsARM -f /dump.lime linux_pslist

Volatile Systems Volatility Framework 2.3_beta

WARNING : volatility.obj      : Overlay structure tty_struct not present in vtypes

Offset     Name                 Pid             Uid             Gid    DTB        Start Time

---------- -------------------- --------------- --------------- ------ ---------- ----------

( empty )

 

As indicated in your last mail, the build System.map and the device Kallsyms  are not equal.

However, besides not having the same symbols as System.map the memory addresses also differ.

Is this expected or is this because I have done something wrong?

I.e.:

 

System.map (builded kernel):

c0008200 t set_reset_devices

c0008224 t debug_kernel

c000824c t quiet_kernel

 

Kallsyms (from device):

                c0008200 t set_reset_devices

c0008218 t debug_kernel

c0008230 t quiet_kernel

 

 

Moreover, is it known which symbols are exactly missing in the Kallsyms file that are noted in the System.map and can I implement a work around for this?

Furthermore,  in another post (http://lists.volatilesystems.com/pipermail/vol-users/2013-February/000770.html)  Michael Hale Ligh indicated:  

“Only as a last resort use /proc/kallsyms and even in that case, delete the lines related to lime so

it doesn't raise ValueError”. Thus if I delete all lime related lines in the kallsyms then it would work?

 

 

Best regards,

 

Winston

 

 

 

 

From: Andrew Case [mailto:atcuno@gmail.com]
Sent: Wednesday, August 14, 2013 7:58 PM
To: Winston Siauw (DT)
Cc: vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] custom Android profile: No suitable address space

 

Hello,

We are working on new documentation for this issue and actually hope to develop a workaround if at all possible. The issue is that kallsyms, while having a different file format as you noticed, does not contain all of the same symbols as System.map and because of this Volatility cannot use a profile that has kallsyms output. There are symbols in System.map that are currently required for Volatility to operate and these symbols are not contained in kallsyms.

If you can obtain the System.map file for the kernel you wish to analyze then please use that and incorporate it into the profile.

Thanks,
Andrew

 

On Wed, Aug 14, 2013 at 3:28 AM, Winston Siauw (DT) <winston@holmes.nl> wrote:

Hi All,

 

Currently, I am using Volatility to analyze  a lime dump of an Android device and I have the same error message as the post of  the ”no suitable address space mapping found” (http://lists.volatilesystems.com/pipermail/vol-users/2013-July/000942.html).

 

I have followed the steps as indicated in the Volatility Android memory forensic instructions (https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and listed them below the dotted line in this mail.

However,  the error “No suitable address space mapping found ” is showing.

 

Anybody have any idea what is going / I am doing  wrong ? (please see the steps I have performed below)

 

 

Winston

 

*****************************************

Steps I followed:

 

Memory research of Device : HTC One V

kernel device primou-ics-crc-3.0.16-133e482

Android : 4.0.3

Host system for Volatility: Ubuntu 13.04

Python 2.7.4 (default, Apr 19 2013, 18:32:33)

[GCC 4.7.3] on linux2

 

 

Steps as followed from https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except for the emulator steps:

 

1.       Downloaded lime, cross compiled lime and build a *.ko file and created a lime.dump (format=lime) file

2.       Downloaded Volatility, created a zip profile

a.       System.map retrieved from the device at /proc/kallsyms

b.      Module.dwarf  

$ head module.dwarf

 

.debug_info

 

<0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/android/volatility-2.2/tools/linux/module.c"> DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482"> DW_AT_stmt_list<0x00000000>

<1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000028>>

<1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char">

<1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000003a>>

<1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char">

<1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000004c>>

<1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int">

 

3.       Using Volatility 2.2 and I have tried  volatility 2.3-development and the latest volatility from svn co  https://volatility.googlecode.com/svn/trunk (latest check out at 9th of august 2013)

a.       $ python vol.py –info

LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86

b.      Note, I implemented a work around since my system.map / proc/kallsyms  sometimes contained four columns instead of 3.

Part of my system.map file:

                c0682d70 A _etext

bf005000 t dhd_sleep_pm_callback         [bcmdhd]

Error:

 File "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line 86, in parse_system_map

    (str_addr, symbol_type, symbol) = line.strip().split()

ValueError: too many values to unpack

                                                Work around :

Added in /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87:

        (str_addr, symbol_type, symbol) = line.strip().split()[0:3]     //added work around

     #(str_addr, symbol_type, symbol) = line.strip().split()               // original

c.       $ python vol.py --profile=LinuxprofileHTCOneV2x86 -f /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist

Volatile Systems Volatility Framework 2.3_alpha

WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes

Offset     Name                 Pid             Uid             Start Time

---------- -------------------- --------------- --------------- ----------

No suitable address space mapping found

Tried to open image as:

MachOAddressSpace: mac: need base

LimeAddressSpace: lime: need base

WindowsHiberFileSpace32: No base Address Space

WindowsCrashDumpSpace64: No base Address Space

WindowsCrashDumpSpace32: No base Address Space

JKIA32PagedMemoryPae: No base Address Space

AMD64PagedMemory: No base Address Space

JKIA32PagedMemory: No base Address Space

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

MachOAddressSpace: MachO Header signature invalid

MachOAddressSpace: MachO Header signature invalid

LimeAddressSpace: Invalid Lime header signature

WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile

WindowsCrashDumpSpace64: Header signature invalid

WindowsCrashDumpSpace32: Header signature invalid

JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected

JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

FileAddressSpace: Must be first Address Space

ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

 

 

 

 

 

 

 

 

 

 

 

 

 


_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users