Re: [Vol-users] Linux memory analysis with scudettesbranch

Hi Michael, You were right, the problem was related to the profile file (for Ubuntu, not Fedora). I was using module.ko to generate module.dwarf (with the command line dwarfdump -di module.ko > module.dwarf). It seems that dwarfdump needs to be run only on module_dwarf.ko. Everything works as expected in Ubuntu (with the padded memory dump only). However, there still a bug with Fedora Here's the commands I used to create the profile file: 1- apt-get install dwarfdump (Ubuntu) or yum install libdwarf-tools (Fedora) 2- svn checkout http://volatility.googlecode.com/svn/branches/scudette/tools/linuxlinuxProf… 3- cd linuxProfile 4- make 5- dwarfdump -di module_dwarf.ko > module.dwarf 6- sudo zip myprofile.zip module.dwarf /boot/System.map-[…]-generic When I run dwarfdump in Fedora 15 32-bit, I have a lots of errors like: dwarfdump: ERROR: Attribute 56 (DW_AT_data_member_location) has form 5 (DW_FORM_data2), a form which is not appropriate module.dwarf contains data, but when I run volatility with this debug information, I have an error and I need to specify an address space: H:\Volatility\Scudette>h:\Python27\python.exe vol.py Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] Type "copyright", "credits" or "license" for more information. IPython 0.13 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object', use 'object??' for extra details. Welcome to the volatility interactive shell! To get help, type 'vhelp()' In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.padded" In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip" In [3]: session.profile = profiles.Linux64 In [4]: vol plugins.pslist ------> vol(plugins.pslist) ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute' ERROR:root:Failed running plugin pslist: kernel_address_space not specified. In [5]: session.kernel_address_space = "standard" In [6]: vol plugins.pslist ------> vol(plugins.pslist) Offset Name Pid Uid ERROR:root:Error: 'init_task' --------------------------------------------------------------------------- KeyError Traceback (most recent call last) <ipython-input-6-a5edbfb3c155> in <module>() ----> 1 vol(plugins.pslist) H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs) 217 result = plugin_cls(*args, **kwargs) 218 try: --> 219 result.render(ui_renderer) 220 except KeyboardInterrupt: 221 self.report_progress("Aborted!\r\n", force=True) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd) 49 "Offset", "Name", "Pid", "Uid")) 50 ---> 51 for task in self.pslist(): 52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format( 53 task.obj_offset, task.comm, str(task.pid), str(task.uid))) H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self) 35 def pslist(self): 36 """A generator of task_struct objects for all running tasks.""" ---> 37 init_task_addr = self.profile.constants["init_task"] 38 39 init_task = self.profile.Object(theType="task_struct", KeyError: 'init_task' Thanks for your help! Sebastien