Hi Andrew, 

apologies for the late reply. 

I've first compiled the module changing some paths in the Makefile for using as a root linux directory the path of my cross compiled kernel. 

Then I've created the profile as described in the documentation. Using the system.map in the cross compiled kernel 

For lime I've used: insmod lime.ko path=/filepath.dump format=lime 





On 6 April 2014 20:24, Andrew Case <atcuno@gmail.com> wrote:
Can you please send the command line input/output from when you created
the profile and when you used LiME to acquire memory? This will greatly
help us debug the issue.

Thanks,
Andrew (@attrc)

On 4/2/2014 5:49 AM, Roberto Martelloni wrote:
> off course. here in the attachment.
>
>
>
> On Wed, Apr 2, 2014 at 3:42 AM, Joe Sylve <joe.sylve@gmail.com
> <mailto:joe.sylve@gmail.com>> wrote:
>
>     Can you give us the debug output?
>
>
>     On Tue, Apr 1, 2014 at 5:28 AM, Roberto Martelloni
>     <rmartelloni@gmail.com <mailto:rmartelloni@gmail.com>> wrote:
>
>         Hi all,
>
>         I've followed the documentation to first dump the memory device
>         cross compiling lime and then creating the profile for a linux
>         device on arm.
>
>         Unfortunately I wasn't able to use volatility on the memory dump.
>         I'm using volatility 2.3.1, the kernel is a linux vanilla
>         2.6.31.14 + a custom grsecurity+pax configuration.
>
>         Below some output from the commands, any suggestion on next step
>         to troubleshoot where is the problem ?
>
>         boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --info |
>         grep Profile | grep Linux
>         Volatility Foundation Volatility Framework 2.3.1
>         LinuxTESTARM       - A Profile for Linux TEST ARM
>
>
>         $ python vol.py -f /home/boos/arm-mem-image imageinfo
>         Determining profile based on KDBG search...
>
>                   Suggested Profile(s) : No suggestion (Instantiated
>         with LinuxUbuntu1204x64)
>                              AS Layer1 : LimeAddressSpace (Unnamed AS)
>                              AS Layer2 : FileAddressSpace
>         (/home/boos/arm-mem-image)
>                               PAE type : No PAE
>                                    DTB : 0x1c0d000L
>
>         Traceback (most recent call last):
>           File "vol.py", line 184, in <module>
>             main()
>           File "vol.py", line 175, in main
>             command.execute()
>           File
>         "/home/boos/Downloads/volatility-2.3.1/volatility/commands.py",
>         line 122, in execute
>             func(outfd, data)
>           File
>         "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py",
>         line 36, in render_text
>             for k, v in data:
>           File
>         "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py",
>         line 93, in calculate
>             kdbgoffset = volmagic.KDBG.v()
>           File
>         "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line
>         737, in __getattr__
>             return self.m(attr)
>           File
>         "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line
>         719, in m
>             raise AttributeError("Struct {0} has no member
>         {1}".format(self.obj_name, attr))
>         AttributeError: Struct VOLATILITY_MAGIC has no member KDBG
>
>         boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py
>         --profile LinuxTESTARM -f /home/boos/arm-mem-image linux_dmesg
>         Volatility Foundation Volatility Framework 2.3.1
>         No suitable address space mapping found
>         Tried to open image as:
>          MachOAddressSpace: mac: need base
>          LimeAddressSpace: lime: need base
>          WindowsHiberFileSpace32: No base Address Space
>          WindowsCrashDumpSpace64: No base Address Space
>          HPAKAddressSpace: No base Address Space
>          VirtualBoxCoreDumpElf64: No base Address Space
>          VMWareSnapshotFile: No base Address Space
>          WindowsCrashDumpSpace32: No base Address Space
>          AMD64PagedMemory: No base Address Space
>          IA32PagedMemoryPae: No base Address Space
>          IA32PagedMemory: No base Address Space
>          MachOAddressSpace: MachO Header signature invalid
>          MachOAddressSpace: MachO Header signature invalid
>          LimeAddressSpace: Invalid Lime header signature
>          WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in
>         profile
>          WindowsCrashDumpSpace64: Header signature invalid
>          HPAKAddressSpace: Invalid magic found
>          VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
>          VMWareSnapshotFile: Invalid VMware signature: 0x0
>          WindowsCrashDumpSpace32: Header signature invalid
>          AMD64PagedMemory: Incompatible profile LinuxTESTARM selected
>          IA32PagedMemoryPae: Failed valid Address Space check
>          IA32PagedMemory: Failed valid Address Space check
>          FileAddressSpace: Must be first Address Space
>          ArmAddressSpace: Failed valid Address Space check
>
>
>         --
>         Roberto Martelloni
>         boos @ http://boos.core-dumped.info <http://boos.core-dumped.info/>
>
>
>
>         _______________________________________________
>         Vol-users mailing list
>         Vol-users@volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
>         http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
>
>
> --
> Roberto Martelloni
> boos @ http://boos.core-dumped.info <http://boos.core-dumped.info/>
>
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



--
Roberto Martelloni
boos @ http://boos.core-dumped.info