ilch1
commented
3 years ago Building dwarf2json requires go version 1.13 or later. It looks like you are using go1.6.2. Please try upgrading to a later version of go and report back any problems.
Closed ezaspy closed 3 years ago
ilch1
commented
3 years ago Building dwarf2json requires go version 1.13 or later. It looks like you are using go1.6.2. Please try upgrading to a later version of go and report back any problems.
ezaspy
commented
3 years ago I have upgraded to go version go1.16.2 linux/amd64
I followed this guide: https://golangcode.com/updating-go-on-ubuntu/ and also added environment variable
export PATH=$PATH:/usr/local/go/bin
But I still get the following error
go: github.com/spf13/pflag@v1.0.5: missing go.sum entry; to add it:
go mod download github.com/spf13/pflagdwarf2json builds correctly with go 1.15 but fails to build with go 1.16. It looks like go 1.16 made go.sum mandatory.
Try building with go-1.16-support branch. If that works for you, I'll merge it.
ezaspy
commented
3 years ago I have rolled back to go version go1.16.2 linux/amd64
dwarf2json now builds successfully but where do I find/create the input file required to create the json output file
ilch1
commented
3 years ago dwarf2json processes files containing DWARF symbol and type information. You will need to obtain the DWARF file matching the kernel of your memory sample and use that as input.
What is the OS and kernel of the system where the memory sample was acquired?
ezaspy
commented
3 years ago Okay. How do I obtain a DWARF file? Is that the memory file? Is it the same process as making a DWARF file for Linux profiles in volatility2.6? The host info is: Ubuntu 16.04 4.4.0-97-generic
ilch1
commented
3 years ago The DWARF contains debug symbol information for a program and is separate from the memory file. The debug symbols for the Linux kernel can be obtained through a package manager. For the Ubuntu kernel version that you have listed, the package can be downloaded from:
Once you download the package, you need to extract it using dpkg -x <path-to-downloaded-ddeb> /tmp/.
Then the DWARF for the kernel will be found at /tmp/usr/lib/debug/boot/vmlinux-4.4.0-97-generic.
ilch1
commented
3 years ago I'm going to close this issue as the original go build problem has been addressed.
ezaspy
commented
3 years ago Sure, thank you for your help. One last question - where and how do I find other debug symbols for other Linux distros?
ilch1
commented
3 years ago where and how do I find other debug symbols for other Linux distros?
Each distro distributes debug symbols in their own way. The process typically entails adding an additional source that contains debug packages to the package manager (i.e., apt, rpm, etc). I usually google something like:
<distro name> kernel debuginfo
From following your README.md to build dwarf2json it says run
go buildto build it but after installing go (go version go1.6.2 linux/amd64) I get the following error:main.go:28:2: cannot find package "github.com/spf13/pflag" in any of: /usr/lib/go-1.6/src/github.com/spf13/pflag (from $GOROOT) ($GOPATH not set)Can you please elaborate on your instruction on how to build dwarf2json?