[Vol-users] Unable to parse memory on ARMv6.1 with linux 2.6.31.14 + grsec+pax

Hi all, I've followed the documentation to first dump the memory device cross compiling lime and then creating the profile for a linux device on arm. Unfortunately I wasn't able to use volatility on the memory dump. I'm using volatility 2.3.1, the kernel is a linux vanilla 2.6.31.14 + a custom grsecurity+pax configuration. Below some output from the commands, any suggestion on next step to troubleshoot where is the problem ? boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --info | grep Profile | grep Linux Volatility Foundation Volatility Framework 2.3.1 LinuxTESTARM - A Profile for Linux TEST ARM $ python vol.py -f /home/boos/arm-mem-image imageinfo Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with LinuxUbuntu1204x64) AS Layer1 : LimeAddressSpace (Unnamed AS) AS Layer2 : FileAddressSpace (/home/boos/arm-mem-image) PAE type : No PAE DTB : 0x1c0d000L Traceback (most recent call last): File "vol.py", line 184, in <module> main() File "vol.py", line 175, in main command.execute() File "/home/boos/Downloads/volatility-2.3.1/volatility/commands.py", line 122, in execute func(outfd, data) File "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py", line 36, in render_text for k, v in data: File "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py", line 93, in calculate kdbgoffset = volmagic.KDBG.v() File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 737, in __getattr__ return self.m(attr) File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 719, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct VOLATILITY_MAGIC has no member KDBG boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --profile LinuxTESTARM -f /home/boos/arm-mem-image linux_dmesg Volatility Foundation Volatility Framework 2.3.1 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x0 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Incompatible profile LinuxTESTARM selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check -- Roberto Martelloni boos @ http://boos.core-dumped.info