Hello,

We are working on new documentation for this issue and actually hope to develop a workaround if at all possible. The issue is that kallsyms, while having a different file format as you noticed, does not contain all of the same symbols as System.map and because of this Volatility cannot use a profile that has kallsyms output. There are symbols in System.map that are currently required for Volatility to operate and these symbols are not contained in kallsyms.

If you can obtain the System.map file for the kernel you wish to analyze then please use that and incorporate it into the profile.

Thanks,
Andrew


On Wed, Aug 14, 2013 at 3:28 AM, Winston Siauw (DT) <winston@holmes.nl> wrote:

Hi All,

 

Currently, I am using Volatility to analyze  a lime dump of an Android device and I have the same error message as the post of  the ”no suitable address space mapping found” (http://lists.volatilityfoundation.org/pipermail/vol-users/2013-July/000942.html).

 

I have followed the steps as indicated in the Volatility Android memory forensic instructions (https://code.google.com/p/volatility/wiki/AndroidMemoryForensics) and listed them below the dotted line in this mail.

However,  the error “No suitable address space mapping found ” is showing.

 

Anybody have any idea what is going / I am doing  wrong ? (please see the steps I have performed below)

 

 

Winston

 

*****************************************

Steps I followed:

 

Memory research of Device : HTC One V

kernel device primou-ics-crc-3.0.16-133e482

Android : 4.0.3

Host system for Volatility: Ubuntu 13.04

Python 2.7.4 (default, Apr 19 2013, 18:32:33)

[GCC 4.7.3] on linux2

 

 

Steps as followed from https://code.google.com/p/volatility/wiki/AndroidMemoryForensics except for the emulator steps:

 

1.       Downloaded lime, cross compiled lime and build a *.ko file and created a lime.dump (format=lime) file

2.       Downloaded Volatility, created a zip profile

a.       System.map retrieved from the device at /proc/kallsyms

b.      Module.dwarf  

$ head module.dwarf

 

.debug_info

 

<0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.7"> DW_AT_language<DW_LANG_C89> DW_AT_name<"/android/volatility-2.2/tools/linux/module.c"> DW_AT_comp_dir<"/home/winston/htc/primou-ics-crc-3.0.16-133e482"> DW_AT_stmt_list<0x00000000>

<1><0x1d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000028>>

<1><0x28><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char">

<1><0x2f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000003a>>

<1><0x3a><DW_TAG_base_type> DW_AT_byte_size<0x00000001> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char">

<1><0x41><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001 include/asm-generic/int-ll64.h> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000004c>>

<1><0x4c><DW_TAG_base_type> DW_AT_byte_size<0x00000002> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int">

 

3.       Using Volatility 2.2 and I have tried  volatility 2.3-development and the latest volatility from svn co  https://volatility.googlecode.com/svn/trunk (latest check out at 9th of august 2013)

a.       $ python vol.py –info

LinuxprofileHTCOneV2x86 - A Profile for Linux profileHTCOneV2 x86

b.      Note, I implemented a work around since my system.map / proc/kallsyms  sometimes contained four columns instead of 3.

Part of my system.map file:

                c0682d70 A _etext

bf005000 t dhd_sleep_pm_callback         [bcmdhd]

Error:

 File "/android/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line 86, in parse_system_map

    (str_addr, symbol_type, symbol) = line.strip().split()

ValueError: too many values to unpack

                                                Work around :

Added in /android/volatility-2.2/volatility/plugins/overlays/linux/linux.py, line 87:

        (str_addr, symbol_type, symbol) = line.strip().split()[0:3]     //added work around

     #(str_addr, symbol_type, symbol) = line.strip().split()               // original

c.       $ python vol.py --profile=LinuxprofileHTCOneV2x86 -f /android/resultfiles/HTVOneV/lime7-31-13_1317.lime linux_pslist

Volatile Systems Volatility Framework 2.3_alpha

WARNING : volatility.obj      : Overlay structure cpuinfo_x86 not present in vtypes

Offset     Name                 Pid             Uid             Start Time

---------- -------------------- --------------- --------------- ----------

No suitable address space mapping found

Tried to open image as:

MachOAddressSpace: mac: need base

LimeAddressSpace: lime: need base

WindowsHiberFileSpace32: No base Address Space

WindowsCrashDumpSpace64: No base Address Space

WindowsCrashDumpSpace32: No base Address Space

JKIA32PagedMemoryPae: No base Address Space

AMD64PagedMemory: No base Address Space

JKIA32PagedMemory: No base Address Space

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

MachOAddressSpace: MachO Header signature invalid

MachOAddressSpace: MachO Header signature invalid

LimeAddressSpace: Invalid Lime header signature

WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile

WindowsCrashDumpSpace64: Header signature invalid

WindowsCrashDumpSpace32: Header signature invalid

JKIA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

AMD64PagedMemory: Incompatible profile LinuxprofileHTCOneV2x86 selected

JKIA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

FileAddressSpace: Must be first Address Space

ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'long'

 

 

 

 

 

 

 

 

 

 

 

 

 


_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users