10:05 p.m.
Hi People, so over here i have used LiME to extract RAM information out of my Samsung
Galaxy Nexus, but I'm currently facing some issues in terms of analyzing as shown
below:
root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
/root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist
Volatile Systems Volatility Framework 2.3_beta
Offset Name Pid Uid Gid DTB Start
Time
---------- -------------------- --------------- --------------- ------ ----------
----------
Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im always getting
empty data. I ran the same command with the -dd flag as shown below. Any advice/help in
this area would be greatly appreciated thank you :)
root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
/root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist
Volatile Systems Volatility Framework 2.3_beta
DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file
root/majorProject/omap/System.map with 453 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found system file
root/majorProject/omap/System.map with 1 symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found
in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid DTB Start
Time
---------- -------------------- --------------- --------------- ------ ----------
----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address
Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x605bad0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x2C800040,
instantiating lime_header
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header
signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32:
PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic
found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware
signature: 0x81ed
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible
profile LinuxNexusARM selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Failed valid
Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed valid Address
Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header
signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32:
PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000,
instantiating HPAK_HEADER
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic
found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address 0x00000000,
instantiating _VMWARE_HEADER
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware
signature: -
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Incompatible
profile LinuxNexusARM selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Can not stack
over another paging address space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Can not stack over
another paging address space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can not stack over
another paging address space
DEBUG1 : volatility.obj : None object instantiated: Pointer next invalid
11:07 p.m.
Hello,
Based on your previous email it still looks like you compiled a kernel yourself:
"#make ARCH=arm CROSS_COMPILE=$CCOMPILER EXTRA_CFLAGS=-fno-pic modules_prepare"
This will produce a different System.map than than produced by the
original kernel compilation. Can you see if the addresses of symbols
in your System.map file match those of /proc/kallsyms on the running
device?
On Wed, Sep 25, 2013 at 9:05 PM, Quentin Chaki Cha
<quenberry(a)hotmail.com> wrote:
Hi People, so over here i have used LiME to extract
RAM information out of
my Samsung Galaxy Nexus, but I'm currently facing some issues in terms of
analyzing as shown below:
root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
/root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist
Volatile Systems Volatility Framework 2.3_beta
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im
always getting empty data. I ran the same command with the -dd flag as shown
below. Any advice/help in this area would be greatly appreciated thank you
:)
root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
/root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist
Volatile Systems Volatility Framework 2.3_beta
DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file
root/majorProject/omap/System.map with 453 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found system file
root/majorProject/omap/System.map with 1 symbols
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac:
need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime:
need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x605bad0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address
0x2C800040, instantiating lime_header
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
Invalid VMware signature: 0x81ed
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
Incompatible profile LinuxNexusARM selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
Failed valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed
valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must
be first Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address
0x00000000, instantiating HPAK_HEADER
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG1 : volatility.obj : None object instantiated: Invalid Address
0x00000000, instantiating _VMWARE_HEADER
DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
Invalid VMware signature: -
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
Incompatible profile LinuxNexusARM selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Can
not stack over another paging address space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Can
not stack over another paging address space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must
be first Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can
not stack over another paging address space
DEBUG1 : volatility.obj : None object instantiated: Pointer next
invalid
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3:38 a.m.
Omg yes i see what you mean, when i extracted out the /proc/kallsyms from my phone and
compared it with the System.map file i made, the addresses are different, as shown
below:
00000024 A cpu_v7_suspend_size | c0008000 T stext
c0004000 A swapper_pg_dir <
c0008000 T __init_begin <
c0008000 T _sinittext c0008000 T _sinittext
c0008000 T _stext c0008000 T _stext
c0008000 T stext | c0008000 T __init_begin
c0008050 t __create_page_tables c0008050 t __create_page_tables
c0008104 t __enable_mmu_loc c0008104 t __enable_mmu_loc
c0008110 t __vet_atags c0008110 t __vet_atags
c0008148 t __fixup_smp c0008148 t __fixup_smp
c0008180 t __fixup_smp_on_up c0008180 t __fixup_smp_on_up
c00081a4 t __mmap_switched c00081a4 t __mmap_switched
c00081ec t __mmap_switched_data c00081ec t __mmap_switched_data
c0008210 T lookup_processor_type c0008210 T lookup_processor_type
c0008224 t set_reset_devices c0008224 t set_reset_devices
c000824c t debug_kernel | c0008248 t debug_kernel
c0008274 t quiet_kernel | c000826c t quiet_kernel
c000829c t init_setup | c0008290 t init_setup
c00082e0 t rdinit_setup | c00082cc t rdinit_setup
c0008324 W smp_setup_processor_id | c0008308 W
smp_setup_processor_id
c0008334 W thread_info_cache_init | c0008318 W
thread_info_cache_init
c0008344 t loglevel | c0008328 t loglevel
c000837c T parse_early_options | c000835c T parse_early_options
c00083c0 t kernel_init | c0008398 t kernel_init
c0008534 t unknown_bootoption | c00084d0 t unknown_bootoption
c00087b4 T parse_early_param | c00086dc T parse_early_param
c0008808 T start_kernel | c0008724 T start_kernel
c0008b80 t do_early_param | c0008a24 t do_early_param
c0008c5c t readonly | c0008ad4 t readonly
c0008c98 t readwrite | c0008b08 t readwrite
c0008cd4 t rootwait_setup | c0008b3c t rootwait_setup
c0008d0c t root_data_setup | c0008b6c t root_data_setup
c0008d30 t fs_names_setup | c0008b8c t fs_names_setup
c0008d54 t load_ramdisk | c0008bac t load_ramdisk
c0008d88 t root_dev_setup | c0008bdc t root_dev_setup
c0008db8 t root_delay_setup | c0008c04 t root_delay_setup
c0008de8 T change_floppy | c0008c30 T change_floppy
c0008ee4 T mount_block_root | c0008d20 T mount_block_root
c00091ec T mount_root | c0008fdc T mount_root
c0009260 T prepare_namespace | c0009044 T prepare_namespace
c0009498 t prompt_ramdisk | c0009208 t prompt_ramdisk
c00094cc t ramdisk_start_setup | c0009238 t ramdisk_start_setup
c00094fc t error | c0009264 t error
c0009538 t compr_fill | c0009298 t compr_fill
c0009598 t compr_flush | c00092ec t compr_flush
c000960c T rd_load_image | c0009350 T rd_load_image
c0009c64 T rd_load_disk | c0009900 T rd_load_disk
c0009d34 t no_initrd | c00099b4 t no_initrd
c0009d5c T initrd_load | c00099d8 T initrd_load
c000a170 t do_linuxrc | c0009d10 t do_linuxrc
c000a1c4 t error | c0009d58 t error
For example from the above:
c000829c t init_setup | c0008290 t init_setup
The kallsyms file point the init_setup to c0000829c but the System.map file i compiled
myself points it to a different address.
That was just a small extract of the differences when i ran sdiff between the kallsyms
file (on the left) and the System.map file i compiled myself (on the right). Okay i
understand now, what should i do? The original kernel source code/headers didn't come
with a System.map file for me. Any help/suggestion would be deeply appreciated thank
you.
Date: Wed, 25 Sep 2013 22:07:34 -0500
Subject: Re: [Vol-users] Samsung Galaxy Nexus RAM Analysis Issue
From: atcuno(a)gmail.com
To: quenberry(a)hotmail.com
CC: vol-users(a)volatilesystems.com
Hello,
Based on your previous email it still looks like you compiled a kernel yourself:
"#make ARCH=arm CROSS_COMPILE=$CCOMPILER EXTRA_CFLAGS=-fno-pic
modules_prepare"
This will produce a different System.map than than produced by the
original kernel compilation. Can you see if the addresses of symbols
in your System.map file match those of /proc/kallsyms on the running
device?
On Wed, Sep 25, 2013 at 9:05 PM, Quentin Chaki Cha
<quenberry(a)hotmail.com> wrote:
> Hi People, so over here i have used LiME to extract RAM information out of
> my Samsung Galaxy Nexus, but I'm currently facing some issues in terms of
> analyzing as shown below:
>
> root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
> /root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist
> Volatile Systems Volatility Framework 2.3_beta
> Offset Name Pid Uid Gid DTB
> Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
>
> Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im
> always getting empty data. I ran the same command with the -dd flag as shown
> below. Any advice/help in this area would be greatly appreciated thank you
> :)
>
>
> root@akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
> /root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist
> Volatile Systems Volatility Framework 2.3_beta
> DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file
> root/majorProject/omap/System.map with 453 symbols
> DEBUG : volatility.plugins.overlays.linux.linux: Nexus: Found system file
> root/majorProject/omap/System.map with 1 symbols
> DEBUG : volatility.obj : Applying modification from BashTypes
> DEBUG : volatility.obj : Applying modification from
> BasicObjectClasses
> DEBUG : volatility.obj : Applying modification from ELF64Modification
> DEBUG : volatility.obj : Applying modification from HPAKVTypes
> DEBUG : volatility.obj : Applying modification from LimeTypes
> DEBUG : volatility.obj : Applying modification from MachoTypes
> DEBUG : volatility.obj : Applying modification from MbrObjectTypes
> DEBUG : volatility.obj : Applying modification from
> VMwareVTypesModification
> DEBUG : volatility.obj : Applying modification from
> VirtualBoxModification
> DEBUG : volatility.obj : Applying modification from
> LinuxKmemCacheOverlay
> DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
> cache_chain not found in module kernel
>
> DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
> DEBUG : volatility.obj : Applying modification from
> LinuxObjectClasses
> DEBUG : volatility.obj : Applying modification from LinuxOverlay
> Offset Name Pid Uid Gid DTB
> Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> DEBUG : volatility.utils : Voting round
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac:
> need base
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime:
> need base
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsHiberFileSpace32: No base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsCrashDumpSpace64: No base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No
> base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> DEBUG1 : volatility.utils : Failed instantiating
> VirtualBoxCoreDumpElf64: No base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No
> base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsCrashDumpSpace32: No base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No
> base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No
> base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No
> base Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG : volatility.utils : Succeeded instantiating
> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
> 0x605bad0>
> DEBUG : volatility.utils : Voting round
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
> MachO Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1 : volatility.obj : None object instantiated: Invalid Address
> 0x2C800040, instantiating lime_header
> DEBUG : volatility.utils : Succeeded instantiating
> <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90>
> DEBUG : volatility.utils : Voting round
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
> MachO Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
> Invalid Lime header signature
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsCrashDumpSpace64: Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
> Invalid magic found
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> DEBUG1 : volatility.utils : Failed instantiating
> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
> Invalid VMware signature: 0x81ed
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsCrashDumpSpace32: Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
> Incompatible profile LinuxNexusARM selected
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
> Failed valid Address Space check
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Failed
> valid Address Space check
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must
> be first Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> DEBUG : volatility.utils : Succeeded instantiating
> <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50>
> DEBUG : volatility.utils : Voting round
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
> MachO Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
> Invalid Lime header signature
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsCrashDumpSpace64: Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1 : volatility.obj : None object instantiated: Invalid Address
> 0x00000000, instantiating HPAK_HEADER
> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
> Invalid magic found
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> DEBUG1 : volatility.utils : Failed instantiating
> VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> DEBUG1 : volatility.obj : None object instantiated: Invalid Address
> 0x00000000, instantiating _VMWARE_HEADER
> DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile:
> Invalid VMware signature: -
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1 : volatility.utils : Failed instantiating
> WindowsCrashDumpSpace32: Header signature invalid
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
> Incompatible profile LinuxNexusARM selected
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Can
> not stack over another paging address space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Can
> not stack over another paging address space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must
> be first Address Space
> DEBUG : volatility.utils : Trying <class
> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Can
> not stack over another paging address space
> DEBUG1 : volatility.obj : None object instantiated: Pointer next
> invalid
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>
4067
days inactive
4067
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Andrew Case -
Quentin Chaki Cha