6:22 p.m.
Hi Sebastien,
The dwarfdump output parser in current trunk is only compatible
with very old versions of dwarfdump (It was always a hack really). The
correct way to build the profile now is documented here:
http://code.google.com/p/volatility/source/browse/branches/scudette/tools/l…
In a nutshell you can just embed the .ko file directly in the zip file
- volatility will parse dwarf info by itself (providing pyelftools
library is installed).
You can also make a json file which will load much faster:
python volatility/plugins/overlays/linux/dwarfparser.py module.ko > module.json
and embed that in the zip file.
See also issue http://code.google.com/p/volatility/issues/detail?id=260
Michael.
On 18 July 2012 00:12, Sebastien Bourdon-Richard <sebastienbr(a)gmail.com> wrote:
Hi Michael,
You were right, the problem was related to the profile file (for Ubuntu, not
Fedora). I was using module.ko to generate module.dwarf (with the command
line dwarfdump -di module.ko > module.dwarf). It seems that dwarfdump needs
to be run only on module_dwarf.ko.
Everything works as expected in Ubuntu (with the padded memory dump only).
However, there still a bug with Fedora
Here's the commands I used to create the profile file:
1- apt-get install dwarfdump (Ubuntu) or yum install libdwarf-tools
(Fedora)
2- svn checkout
http://volatility.googlecode.com/svn/branches/scudette/tools/linux
linuxProfile
3- cd linuxProfile
4- make
5- dwarfdump -di module_dwarf.ko > module.dwarf
6- sudo zip myprofile.zip module.dwarf /boot/System.map-[…]-generic
When I run dwarfdump in Fedora 15 32-bit, I have a lots of errors like:
dwarfdump: ERROR: Attribute 56 (DW_AT_data_member_location) has form 5
(DW_FORM_data2), a form which is not appropriate
module.dwarf contains data, but when I run volatility with this debug
information, I have an error and I need to specify an address space:
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more
information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra
details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.padded"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute'
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
In [5]: session.kernel_address_space = "standard"
In [6]: vol plugins.pslist
------> vol(plugins.pslist)
Offset Name Pid Uid
ERROR:root:Error: 'init_task'
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-6-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls,
*args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self,
outfd)
49 "Offset", "Name", "Pid",
"Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s}
{3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid),
str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
35 def pslist(self):
36 """A generator of task_struct objects for all running
tasks."""
---> 37 init_task_addr = self.profile.constants["init_task"]
38
39 init_task = self.profile.Object(theType="task_struct",
KeyError: 'init_task'
Thanks for your help!
Sebastien