Re: [Vol-users] Creating profile for android

wrote:

Sorry guys... somehow I manage to push the keyboard shortcut and send the email before finishing. I'm sending it again compleet now. Hi Andrew, A summary hopefully useful also for others (especially mac users) 1) Thanks for the link related to dwarfdump, it worked indeed. It requires some dependancies, particularly for Mac OS X users libelf and elf.h (you can find it attached). This are the steps I followed: - install libelf (you can download it from here http://freecode.com/projects/libelf) - copy the file elf.h (attached) to /usr/include - compile dwarfdump (http://reality.sgiweb.org/davea/dwarf.html) - There is no make install, the make will compile the different tools. The developer suggest to use the new version .../dwarfdump2/dwarfdump. I'm also attaching the makefile sample updated to this. 2) Thanks. As I wrote in my previous email, I had find out that if exporting from the phone, on android you could find it under /proc/kallsyms :) So, dwarfdump created a valid module.dwarf file and I did zip both it and kallsyms in HTCOneX.zip, and placed it inside the overlays/linux folder as follow (I've been trying using both volatility versions, the latest you can get from git and the 2.3_alpha from DFWRS): hydra:linux paco$ zip /Users/paco/Documents/Projects/HTCOneX-vol-profile.zip module.dwarf /Users/paco/Documents/Tools/HTC-OneX/endeavoru-2.6.39-6b459dc/kallsyms adding: module.dwarf (deflated 90%) adding: Users/paco/Documents/Tools/HTC-OneX/endeavoru-2.6.39-6b459dc/kallsyms (deflated 75%) hydra:linux paco$ cp /Users/paco/Documents/Projects/HTCOneX-vol-profile.zip /Users/paco/Documents/Projects/sample-Rodeo2012/Volatility\ 2.3-devel/volatility/plugins/overlays/linux/HTCOneX.zip hydra:linux paco$ cp /Users/paco/Documents/Projects/HTCOneX-vol-profile.zip /Users/paco/Documents/Tools/volatility/volatility-read-only/volatility/plugins/overlays/linux/HTCOneX.zip But when I run it I get still the error: # python vol.py --profile=HTCOneX -f /Users/paco/Documents/Projects/memdump/20130213-2-htconex.lime linux_pslist ... ERROR : volatility.addrspace: Invalid profile HTCOneX selected So chatting on the IRC channel with udgover, he suggested to have a look at volatility/plugins/overlays/linux.py file. In this file there is LinuxProfileFactory where it checks for "system.map" file. So I've tried to add the same routine for kallsyms. But it didn't work. I even tried to rename kallsyms to System.map and then zip it with module.dwarf. Still the same error. I'll keep trying, if you have any clue in the meantime of the reason of the above error... here I am :) Thanks guys P. On Wed, Feb 20, 2013 at 3:42 AM, Andrew Case &lt;atcuno(a)gmail.com&gt; wrote: > Hello, > > Sorry for taking so long to respond... > > There are a couple issues: > > 1) You need to use dwarfump from > http://reality.sgiweb.org/davea/dwarf.html , not the os x supplied > dwarfdump for Linux support. > > 2) You can get System.map values from a few places. First, check if > the source distributed for your kernel has it. Second, see if the > phone exports /proc/kallsyms. If neither of those work then we will > have to find another solution. > > Thanks, > Andrew > > On Sat, Feb 16, 2013 at 7:46 AM, Pasquale Stirparo < > pstirparo(a)gmail.com&gt; wrote: > > Thanks again Andrew for the assistance and for the Makefile. So here > a brief > > summary for creating the Android profile, following the linux > example here > > (https://code.google.com/p/volatility/wiki/LinuxMemoryForensics) > > > > DISCLAIMER: I'm using a Mac OS X system. > > > > - I modified the Makefile sent by Andrew, placed under > > volatility/tools/linux/Makefile, adding the options for > cross-compiling as > > from the LiME kernel module. Basically the modifications are the > following: > > > > CCPATH := > > > /path/to/android-ndk/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin > > > > dwarf: module.c > > $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C > $(KDIR) > > CONFIG_DEBUG_INFO=y M=$(PWD) modules > > > > > > - The last instruction of the makefile "dwarfdump -di module.ko > > > module.dwarf" was originally with -di option. But -d appears to be > not a > > valid option anymore. Checking the man page, the alternatives for > debugging > > options are the following > > --debug-abbrev, --debug-aranges, --debug-frame[=OFFSET], > > --debug-info[=OFFSET], --debug-inlined, --debug-line[=OFFSET], > > --debug-macinfo[=OFFSET], --debug-pubnames[=PATTERN], > > --debug-pubtypes[=PATTERN], --debug-str > > debug-info is the default (which looking at the output of "head > > module.dwarf" seems to be the correct one), so i tried just to > remove the -d > > and also to put --debug-info without any offset value, but this is > what I > > get as content of the module.dwarf file > > hydra:linux paco$ cat module.dwarf > > > ---------------------------------------------------------------------- > > File: module.ko (arm) > > > ---------------------------------------------------------------------- > > .debug_info contents: > > < EMPTY > > > > > - The last step to make the profile is to zip the module.dwarf file > and the > > System.map of the kernel. After searching around, I found that > System.map > > file for android is /proc/kallsyms (probably you all already knew > it, but I > > didn't know this :) ). > > > > > > Attached the make file I used, if all the rest of the steps I did > are right, > > it's missing the right debug option for the dwarfdump command. I've > tried > > also the others but no one seems to give the right output. Any tips > on this? > > Thanks > > > > P. > > > > > > > > On Fri, Feb 15, 2013 at 5:41 PM, Andrew Case &lt;atcuno(a)gmail.com&gt; > wrote: > >> > >> Hello, > >> > >> We are currently testing a stripped down Makefile to help people > >> compiling for different kernels than the one for the system they are > >> on (which includes Android). Can you please try the attached > makefile? > >> You will need to change the KDIR varabile to point to your kernel > >> headers or source. > >> > >> On Fri, Feb 15, 2013 at 5:55 AM, Pasquale Stirparo < > pstirparo(a)gmail.com&gt; > >> wrote: > >> > Hi All, > >> > > >> > I'm trying to make a profile for android device. > >> > I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC > Sense > >> > 4.0, > >> > kernel 2.6.39.4-g6b459dc). > >> > > >> > Now, following the instruction here > >> > https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , > I was > >> > trying to understand how to modify the makefile under > >> > volatility/tools/linux/ , in order to point to my kernel source. > The > >> > thing > >> > is that in from my kernel source folder I couldn't find a proper > value > >> > for > >> > KDIR and KVER (although they should be pretty straightforward > according > >> > to > >> > their name) that would fit with the path for make command as from > the > >> > following source code: > >> > > >> > pmem: pmem.c > >> > $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) > modules > >> > > >> > dwarf: module.c > >> > $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build > CONFIG_DEBUG_INFO=y > >> > M=$(PWD) modules > >> > dwarfdump -di module.ko > module.dwarf > >> > $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) > clean > >> > > >> > > >> > Did anyone ever created an android profile? Any hint? > >> > I've seen in the mailing list archive a thread "Profile (ZIP) for > >> > Android > >> > 4.0.3" from Mike (in Cc), any news about that? > >> > > >> > Thank you > >> > > >> > P. > >> > > >> > -- > >> > Pasquale Stirparo, MEng > >> > GCFA, OPST, OWSE, ECCE > >> > > >> > European Commission - JRC Joint Research Centre > >> > Institute for the Protection and Security of the Citizen (IPSC) > >> > Digital Citizen Security Unit > >> > Via E. Fermi, 2749 - TP 361 > >> > 21027 Ispra (VA) - Italy > >> > > >> > PGP Key: 0x4C589FB2 > >> > Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2 > >> > > >> > Disclaimer: The views expressed are purely those of the writer > and may > >> > not > >> > in any circumstance be regarded as stating an official position > of the > >> > European Commission. > >> > > >> > _______________________________________________ > >> > Vol-users mailing list > >> > Vol-users(a)volatilityfoundation.org > >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > >> > > > > > > > > > > > -- > > Pasquale Stirparo, MEng > > GCFA, OPST, OWSE, ECCE > > > > European Commission - JRC Joint Research Centre > > Institute for the Protection and Security of the Citizen (IPSC) > > Digital Citizen Security Unit > > Via E. Fermi, 2749 - TP 361 > > 21027 Ispra (VA) - Italy > > > > PGP Key: 0x4C589FB2 > > Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2 > > > > Disclaimer: The views expressed are purely those of the writer and > may not > > in any circumstance be regarded as stating an official position of > the > > European Commission. > -- Pasquale Stirparo, MEng GCFA, OPST, OWSE, ECCE European Commission - JRC Joint Research Centre Institute for the Protection and Security of the Citizen (IPSC) Digital Citizen Security Unit Via E. Fermi, 2749 - TP 361 21027 Ispra (VA) - Italy PGP Key: 0x4C589FB2 Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2 Disclaimer: The views expressed are purely those of the writer and may not in any circumstance be regarded as stating an official position of the European Commission. _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users