Process Killed and empty output file

volatilityfoundation / dwarf2json

convert ELF/DWARF symbol and type information into vol3's intermediate JSON

Other

106 stars 28 forks source link

Process Killed and empty output file #38

Closed TaihouKai closed 2 years ago

TaihouKai commented 2 years ago

I am trying to make an isf json file using this command:

./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-5.4.0-1070-azure --system-map /boot/System.map-5.4.0-1070-azure > ubuntu18.04.6.json

... and the process always turns a "Killed" and the output file will be empty.

I tried

./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-5.4.0-1070-azure --system-map /boot/System.map-5.4.0-1070-azure >  | xz -c ubuntu18.04.6.json.xz

as well, and it did not fail, but the output .json.xz file was warned with "invalid isf file" when I checked them with isfinfo.IsfInfo of Volatility3.

Is there anything wrong with my command?

drkmrin78 commented 2 years ago

I was running into the same issue, which was running out of memory with no error message.

For reference I was using vmlinux-5.4.0-105-generic from kernel-image-5.4.0-105-dbgsym. wiki.ubuntu

4GB Ubuntu VM failed with (dmesg):

[  148.333415] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-1000.slice/session-1.scope,task=dwarf2json,pid=1063,uid=1000
[  148.333429] Out of memory: Killed process 1063 (dwarf2json) total-vm:4740112kB, anon-rss:3763916kB, file-rss:0kB, shmem-rss:0kB, UID:1000 pgtables:7488kB oom_score_adj:0
[  148.563516] oom_reaper: reaped process 1063 (dwarf2json), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB

Worked on a 8GB VM, though.

TaihouKai commented 2 years ago

I was running into the same issue, which was running out of memory with no error message.

For reference I was using vmlinux-5.4.0-105-generic from kernel-image-5.4.0-105-dbgsym. wiki.ubuntu

4GB Ubuntu VM failed with (dmesg):
[  148.333415] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-1000.slice/session-1.scope,task=dwarf2json,pid=1063,uid=1000
[  148.333429] Out of memory: Killed process 1063 (dwarf2json) total-vm:4740112kB, anon-rss:3763916kB, file-rss:0kB, shmem-rss:0kB, UID:1000 pgtables:7488kB oom_score_adj:0
[  148.563516] oom_reaper: reaped process 1063 (dwarf2json), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
Worked on a 8GB VM, though.

You're right. It seems like for large DWARF, 8 GB is the minimum requirement.

Note: processing large DWARF files requires a minimum of 8GB RAM.

ilch1 commented 2 years ago

I'm going to close this issue, as it looks like you were able to generate a the desired ISF file. Please reopen if you have further questions.

Abyss-W4tcher commented 1 year ago

Hello, for anyone having trouble running this tool on a machine without 8GB of RAM, just setup a swap partition (4GB did the trick) : https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04