Underflow when processing module.ko file generated from an Android kernel (goldfish)

[Alexander1609]

Hey, im having trouble generating the ISF from an Android kernel:

• Goldfish 3.18
• Arch: x86_64
• dwarf2json: linux-module-method branch

I've tried 2 different ways (linux_build_module & vol2/tools/linux folders) to retrieve the module.ko from this kernel. But when trying to generate the ISF using dwarf2json im always getting the following error:

dwarf2json linux --elf linux_build_module/module.ko 
Failed linux processing: error processing DWARF: decoding dwarf section str at offset 0x0: underflow

The Makefile im using to retrieve the module.ko looks as follows:

obj-m += module.o
KDIR := ~/goldfish/
CCPATH := ~/x86_64-linux-android-4.8/bin/

-include version.mk

all: dwarf 

dwarf: module.c
    $(MAKE) ARCH=x86_64 CROSS_COMPILE=$(CCPATH)/x86_64-linux-android- -C $(KDIR) CONFIG_DEBUG_INFO=y M="$(PWD)" modules

Am I doing something wrong here or is this a problem with dwarf2json? Any help would be greatly appreciated!

[Alexander1609]

I solved this error using the patch mentioned at https://github.com/volatilityfoundation/dwarf2json/pull/12#issuecomment-998926419.

Unfortunately the resulting ISF didnt work with Volatility 3 but in the end i managed to get it working with the following steps:

1. Build the kernel with CONFIG_DEBUG_INFO=y
2. Create the ISF on the goldfish/vmlinux
3. Start the Android VD with the newly compiled kernel
4. Dump the memory using LiME