dwarf2json feature request for vol2 profiles

[jdlovato]

I would like to submit a feature request for when you have access only to the vol2 profile which includes the systemmap and the module.dwarf. Is that enough to create the profile for Vol3? That would be very helpful in converting vol2 profiles to vol3 if it is possible.

[ilch1]

Hi @jdlovato,

Thank you for the feature request! Being able to generate a profile without a full debug kernel is a useful feature. In addition to system.map and module.dwarf, a couple of other pieces of information are required by volatility3 that would need to be provided to dwarf2json to generate a usable ISF.

There's a working implementation that you could try (see https://github.com/volatilityfoundation/dwarf2json/blob/linux-module-method/README.md#generating-isf-without-debug-information). Any feedback would be helpful.

Thanks!

[vincentroberge]

I am also interested in generating a Vol3 profile for a linux system for which I do not have access to the debug version of the kernel. I do have the Vol2 profile that I generated a few years ago and I also have access to the system. However, the system is too old to get the kernel debug (Metaploitable2 which is Ubuntu server 8.04). I followed the instructions you gave ([https://github.com/volatilityfoundation/dwarf2json/blob/linux-module-method/README.md#generating-isf-without-debug-information]), but the Makefile is used to build a module.c file. What is that module.c file. This would be useful to me. Thank you.

[ilch1]

Hi @vincentroberge,

Thanks for your question. The Makefile uses module.c to build a dwarf file. The module.c file is located in the same directory as Makefile: https://github.com/volatilityfoundation/dwarf2json/blob/linux-module-method/linux_build_module/

Could you try copying module.c and Makefile to your target system and report any errors when issuing the make command?

Thanks

[vincentroberge]

Hi @ilch1 , Thank you for your reply. Sorry for not seeing the module.c file. I was using the link to the Makefile from the wiki page and missed that the files were in the github repo. I downloaded both file. I had to change line 231 from struct module_sections module_sect_attrs; to struct module_sect_attrs module_sect_attrs; for the file to compile successfully. My kernel version is "Linux version 2.6.24-16-server (buildd@palmer) (gcc version 4.2.3 (Ubuntu 4.2.3-2ubuntu7)" which is Ubuntu 8.04. I was following the steps until I got to step 4 where it says that I need a ISF file from a kernel that is as close as possible to the one I am using. I think this is the show stopper for me. I will be hard to find a kernel compiled with the debug symbols that is that old. The closest one that I can find would be Ubuntu 12.04 which is 4 year newer. Do you think it would work? Thanks for your advise.

[AkechiShiro]

Hi @ilch1 for some reason the dwarf2json binary compiled from this repo git source, does no longer have the --linux-banner flag, it is treated as an unknown flag, as such this information should either be deprecated or a commit may have broken some flags of dwarf2json

Let me know also if I should open an issue about this, I've been very confused.

[AkechiShiro]

I found out why, the code lived inside the linux-module-method branch and not the master one, I wish you did precise this information as I believe it's crucial, maybe next time I'll pay extra details to the URL being shared.