Fedora 15 dwarf problem

[GoogleCodeExporter]

Hey guys,

Seems there's a problem with dwarf and Fedora 15. 

F:\Volatility2.3SVN>python vol.py -f H:\Fedora-15-32bit\Fedora-15-32bit.lime 
--profile=LinuxFedora-15-32-bitx86 linux_pslist

Volatile Systems Volatility Framework 2.3_alpha
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "F:\Volatility2.3SVN\volatility\plugins\linux\common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "F:\Volatility2.3SVN\volatility\commands.py", line 111, in execute
    func(outfd, data)
  File "F:\Volatility2.3SVN\volatility\plugins\linux\pslist.py", line 60, in render_text
    ("Start Time", "")])
  File "F:\Volatility2.3SVN\volatility\commands.py", line 172, in table_header
    profile = addrspace.BufferAddressSpace(self._config).profile
  File "F:\Volatility2.3SVN\volatility\addrspace.py", line 169, in __init__
    BaseAddressSpace.__init__(self, None, config, **kwargs)
  File "F:\Volatility2.3SVN\volatility\addrspace.py", line 71, in __init__
    self.profile = self._set_profile(config.PROFILE)
  File "F:\Volatility2.3SVN\volatility\addrspace.py", line 94, in _set_profile
    ret = profs[profile_name]()
  File "F:\Volatility2.3SVN\volatility\plugins\overlays\linux\linux.py", line 148, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "F:\Volatility2.3SVN\volatility\obj.py", line 857, in __init__
    self.reset()
  File "F:\Volatility2.3SVN\volatility\plugins\overlays\linux\linux.py", line 158, in reset
    self.load_vtypes()
  File "F:\Volatility2.3SVN\volatility\plugins\overlays\linux\linux.py", line 195, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "F:\Volatility2.3SVN\volatility\dwarf.py", line 70, in __init__
    self.feed_line(line)
  File "F:\Volatility2.3SVN\volatility\dwarf.py", line 161, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "F:\Volatility2.3SVN\volatility\dwarf.py", line 260, in process_statement
    off = int(d)
ValueError: invalid literal for int() with base 10: 'ERROR: Attribute 56 '

Debug mode:

F:\Volatility2.3SVN>python vol.py --debug -f 
H:\Fedora-15-32bit\Fedora-15-32bit.lime --profile=LinuxFedora-15-32-bitx86 
linux_pslist
Volatile Systems Volatility Framework 2.3_alpha
> f:\volatility2.3svn\volatility\dwarf.py(260)process_statement()
-> off = int(d)
(Pdb) p d
'ERROR: Attribute 56 '

When I generate the profile under Fedora, I have a lot of errors like:

dwarfdump:  ERROR: Attribute 56 (DW_AT_data_member_location)  has form 11 
(DW_FORM_data1), a form which is not appropriate

I also had a similar issue with scudette branch last summer. The solution 
provided by Michael was:

"The dwarfdump output parser in current trunk is only compatible with very old 
versions of dwarfdump (It was always a hack really). The
correct way to build the profile now is documented here:

http://code.google.com/p/volatility/source/browse/branches/scudette/tools/linux/
README

In a nutshell you can just embed the .ko file directly in the zip file - 
volatility will parse dwarf info by itself (providing pyelftools
library is installed)."

Is there a way to do something similar with the current volatility branch?

Also, here's my configuration:

- Windows 7 SP1 x64
- Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] on 
win32
- Volatility r2769
- Fedora 15: 2.6.38.8-35.fc15.i686.PAE
- The version of libfwarf-tools used under fedora 15 is 0.20100629-2.fc15

Thanks in advance,

Sebastien

Original issue reported on code.google.com by sebastie...@gmail.com on 29 Oct 2012 at 2:06

[GoogleCodeExporter]

Original comment by jamie.l...@gmail.com on 29 Oct 2012 at 2:13

[GoogleCodeExporter]

Andrew did you say that someone else had this problem and they just needed to 
upgrade/update the dwarfdump version? 

Sorry for the delay Sebastien....

Original comment by michael.hale@gmail.com on 6 Nov 2012 at 8:33

[GoogleCodeExporter]

Hello,

We have had a number of people report problems with the dwarfdump packaged with 
fedora. Could you try downloading dwarfdump from the distribution site and 
building the profile with that or could you compile on another distro (and just 
point to the fedora headers)?

Original comment by atc...@gmail.com on 14 Nov 2012 at 12:51

[GoogleCodeExporter]

Hello Andrew,

Thanks for the reply.

> Could you try downloading dwarfdump from the distribution site and building 
the profile

Here's new tests on Fedora 15. Not very user friendly, but it works ;)

$ sudo yum install elfutils-libelf-devel
$ sudo git clone http://git.code.sf.net/p/libdwarf/code libdwarf-code
$ cd libdwarf-code/libdwarf
$ sudo ./configure 
$ sudo make
$ cd..
$ cd dwarfdump2
$ sudo ./configure
$ sudo make
$ sudo make install
$ svn checkout http://volatility.googlecode.com/svn/trunk/ volatility
$ cd volatility/tools/linux/

$ sudo make
make -C //lib/modules/2.6.38.8-35.fc15.i686.PAE/build CONFIG_DEBUG_INFO=y M= 
modules
make[1]: Entering directory `/usr/src/kernels/2.6.38.8-35.fc15.i686.PAE'
  CHK     include/linux/version.h
  CHK     include/generated/utsrelease.h
make[2]: *** No rule to make target `missing-syscalls'.  Stop.
make[1]: *** [prepare0] Error 2
make[1]: Leaving directory `/usr/src/kernels/2.6.38.8-35.fc15.i686.PAE'
make: *** [dwarf] Error 2

There's a problem with M=$(PWD) ???

So I need to make the module without the makefile:

$ sudo make -C /lib/modules/2.6.38.8-35.fc15.i686.PAE/build CONFIG_DEBUG_INFO=y 
M=$PWD modules
$ dwarfdump -di ./module.o > module.dwarf
$ sudo zip Fedora15-32bit.zip module.dwarf 
/boot/System.map-2.6.38.8-35.fc15.i686.PAE

This profile works with Volatility 2.3_alpha!

> We have had a number of people report problems with the dwarfdump packaged 
with fedora.

Have you found only problems with Fedora? 

It may be complicated for users to have multiple procedures for multiple 
kernels...

Maybe dwarfdump2 (http://sourceforge.net/projects/libdwarf/) could be a good 
way to "standardize" profile creation?

Or using dwarfparser.py like in scudette branch can be easier?

My 2 cents.

Thanks again for your help!

Sebastien

Original comment by sebastie...@gmail.com on 14 Nov 2012 at 9:51

[GoogleCodeExporter]

I updated the LinuxForensics wiki page to tell people not to use Fedora and 
pointed to this issue.

Original comment by atc...@gmail.com on 29 Jan 2013 at 12:58

• Changed state: Fixed