[Vol-users] KeyError int128 unsigned in dwarfpy when using Volatility for Android RAM dump

Hello! I posted this question already, but i could not find it on the archive, so I am trying it again. I am doing some research on RAM extraction and analysis in Android (6 Marshmallow). I succeeded in compiling my own Kernel with enabled CONFIG_MODULE_LOAD and installing it onto my Nexus 5X. Creating the LiME module to extract the RAM was also successful, I could get a memory dump of the device on my computer. In a Hex-editor, I can see content of the RAM (boot pictures, text messages,…). I also asked this question at stackoverflow, it is better readable there due to formatting reasons: https://stackoverflow.com/questions/44807171/keyerror-int128-unsigned-in-dw… But now I have problems using Volatility 2.6. My steps so far: • get volatility git clone https://github.com/volatilityfoundation/volatility.git cd volatility/tools/linux • Adjust Makefile (I also had to uncomment #define RADIX_TREE_MAX_TAGS 2 in the module.o, otherwise I got an error during make) obj-m += module.o KDIR := /root/compile/msm/ CCPATH := /root/compile/msm/aarch64-linux-android-4.9/bin -include version.mk all: dwarf dwarf: module.c $(MAKE) ARCH=arm64 CROSS_COMPILE=$(CCPATH)/aarch64-linux-android- -C $(KDIR) \ CONFIG_DEBUG_INFO=y M=$(PWD) modules dwarfdump -di module.ko > module.dwarf make • Combine System.map (created during kernel compilation) and module.dwarf (created during make) and copy the .zip it into the overlays directory zip Nexus5X.zip module.dwarf ../../../System.map cp Nexus5X.zip ../../volatility/plugins/overlays/linux/ • run volatility python vol.py --profile=LinuxNexus5Xx64 -f /root/Documents/nexus-ram.dump linux_pslist The parameters are all correct - the profile exists, the file also and linux_pslist is a valid command. But even with other commands such as linux_cpuinfo, I get the following error: root@kali:~/compile/msm/volatility-2.6# python vol.py --profile=LinuxNexus5Xx64 -f /root/Documents/nexus-ram.dump linux_pslist Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in <module> main() File "vol.py", line 183, in main command.execute() File "/root/compile/msm/volatility-2.6/volatility/plugins/linux/common.py", line 64, in execute commands.Command.execute(self, *args, **kwargs) File "/root/compile/msm/volatility-2.6/volatility/commands.py", line 116, in execute if not self.is_valid_profile(profs[self._config.PROFILE]()): File "/root/compile/msm/volatility-2.6/volatility/plugins/overlays/linux/linux.py", line 216, in __init__ obj.Profile.__init__(self, *args, **kwargs) File "/root/compile/msm/volatility-2.6/volatility/obj.py", line 862, in __init__ self.reset() File "/root/compile/msm/volatility-2.6/volatility/plugins/overlays/linux/linux.py", line 227, in reset self.load_vtypes() File "/root/compile/msm/volatility-2.6/volatility/plugins/overlays/linux/linux.py", line 264, in load_vtypes vtypesvar = dwarf.DWARFParser(dwarfdata).finalize() File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line 71, in __init__ self.feed_line(line) File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line 162, in feed_line self.process_statement(**parsed) #pylint: disable-msg=W0142 File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line 225, in process_statement self.id_to_name[statement_id] = [self.base_type_name(data)] File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line 125, in base_type_name return self.tp2vol[data['DW_AT_name'].strip('"')] KeyError: '__int128 unsigned' Can you help me figuring out the error and how to solve it? Or any related work which did RAM extraction from Android > 5.0 ? The string "__int128 unsigned" is inside the module.dwarf two times. I posted the Module.dwarf here as it would be too big for this mail (it needs some time until the web page appears): http://chopapp.com/#b27ludkk Thanks in advance!