Hi Roberto,

I'm sure Andrew will help you here in a bit with the profile, but I just wanted to note that imageinfo is a Windows only plugin, so that wouldn't work on a Linux sample.

All the best,

-gleeda



On 4/1/2014 6:28 AM, Roberto Martelloni wrote:
Hi all, 

I've followed the documentation to first dump the memory device cross compiling lime and then creating the profile for a linux device on arm. 

Unfortunately I wasn't able to use volatility on the memory dump. 
I'm using volatility 2.3.1, the kernel is a linux vanilla 2.6.31.14 + a custom grsecurity+pax configuration. 

Below some output from the commands, any suggestion on next step to troubleshoot where is the problem ? 

boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --info | grep Profile | grep Linux
Volatility Foundation Volatility Framework 2.3.1
LinuxTESTARM       - A Profile for Linux TEST ARM


$ python vol.py -f /home/boos/arm-mem-image imageinfo
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with LinuxUbuntu1204x64)
                     AS Layer1 : LimeAddressSpace (Unnamed AS)
                     AS Layer2 : FileAddressSpace (/home/boos/arm-mem-image)
                      PAE type : No PAE
                           DTB : 0x1c0d000L

Traceback (most recent call last):
  File "vol.py", line 184, in <module>
    main()
  File "vol.py", line 175, in main
    command.execute()
  File "/home/boos/Downloads/volatility-2.3.1/volatility/commands.py", line 122, in execute
    func(outfd, data)
  File "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py", line 36, in render_text
    for k, v in data:
  File "/home/boos/Downloads/volatility-2.3.1/volatility/plugins/imageinfo.py", line 93, in calculate
    kdbgoffset = volmagic.KDBG.v()
  File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 737, in __getattr__
    return self.m(attr)
  File "/home/boos/Downloads/volatility-2.3.1/volatility/obj.py", line 719, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG

boos@vnoise:~/Downloads/volatility-2.3.1$ python vol.py --profile LinuxTESTARM -f /home/boos/arm-mem-image linux_dmesg
Volatility Foundation Volatility Framework 2.3.1
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile LinuxTESTARM selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check


--
Roberto Martelloni
boos @ http://boos.core-dumped.info




_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-- 
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG:  http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92