Linux - DwarfParse in linux.py does not work with newer dwarfdump versions

[GoogleCodeExporter]

I am testing linux-trunk on the latest ubuntu (12.04) and our DwarfParse class 
(based on brendan's code) does not work with any recent versions of dwarfdump. 
The release that our code was developed against was from late 2009 and Ubuntu 
now packages a release from late 2011.  It seems that part of the DWARF 
standard was updated or at the very least, dwarfdump's output has definitely 
changed in an incompatible way.

I am currently getting it to work by downloading this old version:

http://reality.sgiweb.org/davea/libdwarf-20091012.tar.gz

-----

As far as a fix, keeping two versions of our dwarfdump class around doesn't 
seem like the best solution... maybe we should just force profiles to include 
.vtype files, and then we would just need to code something to handle the new 
dwarfdump output. In the meantime, we can keep using the old versions, and I 
have had no issues with it.

Original issue reported on code.google.com by atc...@gmail.com on 18 May 2012 at 12:08

[GoogleCodeExporter]

Mostly this issue appears to be accepting <0x0000abcd> in places where we 
accepted <43981> (or in slightly older versions <abcd> in place of <43981>).  
The version where this first manifests is 20110605, and I'm hoping that the fix 
will be relatively simple.  I'll look into it more when I've got more time, 
meanwhile the last working version you can use for volatility is 
libdwarf-20110113...

Original comment by mike.auty@gmail.com on 18 May 2012 at 4:46

[GoogleCodeExporter]

Updating the milestone to coincide with official linux support.

Original comment by mike.auty@gmail.com on 6 Jun 2012 at 8:30

• Added labels: Milestone-2.2.x

[GoogleCodeExporter]

The fix to this is in scudette's branch: 

http://code.google.com/p/volatility/source/browse/branches/scudette/volatility/p
lugins/overlays/linux/dwarfparser.py

Basically his code parses the dwarf info within volatlity and then is not 
dependent on particular versions of dwarfdump. I would like to integrate this 
dwarfparser into linux-trunk before 2.2, but he uses an library for parsing and 
I don't think its native to python so it would be another requirement to 
install. Not sure if that is an issue.

Original comment by atc...@gmail.com on 9 Jul 2012 at 6:10

[GoogleCodeExporter]

Subscribing to get notifications

Original comment by larytet@gmail.com on 9 Aug 2012 at 7:13

[GoogleCodeExporter]

This was fixed in http://code.google.com/p/volatility/source/detail?r=2220

I tested against the latest dwarfdump as of today ( dwarf-20120410 )

and its the same output as I saw going back a few other versions.

Original comment by atc...@gmail.com on 25 Aug 2012 at 6:51

• Changed state: Fixed