volatilityfoundation / profiles

Volatility profiles for Linux and Mac OS X
318 stars 100 forks source link

Volatility fails with traceback on Linux (possible profile issue) #82

Open MureDanta opened 4 years ago

MureDanta commented 4 years ago

In order to eliminate some of the unknowns (see the previous issue), I built a LiME module and a volatility profile on an up-to-date laptop installation of Fedora 32 that does have /lib/modules/$(uname -r)/build available. Both built without error, however when I try to run volatility to on the image and use Linux commands like linux_pslist, or even linux_cpuinfo, I get this traceback:

Volatility Foundation Volatility Framework 2.6
(_a bunch of messages about failing to load things that depend on Crypto.Hash or distorm3_)
Traceback (most recent call last):
  File "/home/volatility/volatility-master/vol.py", line 192, in <module>
    main()
  File "/home/volatility/volatility-master/vol.py", line 183, in main
    command.execute()
  File "/home/volatility/volatility-master/volatility/plugins/linux/common.py", line 64, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/volatility/volatility-master/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/home/volatility/volatility-master/volatility/plugins/overlays/linux/linux.py", line 216, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/home/volatility/volatility-master/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/home/volatility/volatility-master/volatility/plugins/overlays/linux/linux.py", line 227, in reset
    self.load_vtypes()
  File "/home/volatility/volatility-master/volatility/plugins/overlays/linux/linux.py", line 264, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/home/volatility/volatility-master/volatility/dwarf.py", line 71, in __init__
    self.feed_line(line)
  File "/home/volatility/volatility-master/volatility/dwarf.py", line 162, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/home/volatility/volatility-master/volatility/dwarf.py", line 204, in process_statement
    self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
KeyError: 'DW_AT_byte_size'

Notable is that I do not get the WARNING messages about unknown structure definitions that were seen in the previous issue, so this is at least a step forward. But I'm stuck here, apparently because the size of a DW is not defined? I'm using Volatility 2.6, Python 2.7.18, and both the subject system and the analysis system are running Fedora 32. In case it matters, the subject system is running kernel 5.7.15-200.fc32.x86_64 and the analysis system is one step behind with 5.7.14-200.fc32.x86_64. It's the fact that it seems to be missing a definition for a fundamental system attribute that makes me wonder if this is a profile issue.

The steps to create the profile were:

Copy the volatility-master tree to the subject system
cd volatility-master/tools/linux
make -C /lib/modules/$(uname -r)/build CONFIG_DEBUG_INFO=y M="$PWD" modules
dwarfdump -di module.ko >module.dwarf
Then package up module.dwarf and /boot/System.map-$(uname -r) into a zip archive
Copy the zip archive to volatility-master/volatility/plugins/overlays/linux/

My volatility command was just:

volatility --profile=Linuxtest-5_7_15-200_fc32_x86_64x64 -f test.lime linux_cpuinfo

So... any hints about what I could try to fix this? I figure if I can get this working it may help with the other issue, or in any case, one step at a time. Thanks!

vincentroberge commented 2 years ago

I get a similar error with a Ubuntu 22.04 image and I would like to solve the problem. Any help would be appreciated.

$ vol.py -f alice.vmem --profile=Linuxubuntu-22.04-desktop-amd64_5.15.0-33-genericx64 linux_pslist
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 192, in <module>
    main()
  File "/usr/local/bin/vol.py", line 183, in main
    command.execute()
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/linux/common.py", line 67, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 218, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 232, in reset
    self.load_vtypes()
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/usr/local/lib/python2.7/dist-packages/volatility/dwarf.py", line 72, in __init__
    self.feed_line(line)
  File "/usr/local/lib/python2.7/dist-packages/volatility/dwarf.py", line 163, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/usr/local/lib/python2.7/dist-packages/volatility/dwarf.py", line 267, in process_statement
    d = data['DW_AT_data_member_location']
KeyError: 'DW_AT_data_member_location'
field-one commented 2 years ago

I'm getting a similar error. I'm on a Kali Linux VM and I can't work out this problem:

┌──(kali㉿kali)-[~/Downloads/volatility2]
└─$ uname -a                                                                           
Linux kali 5.18.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali6 (2022-07-07) x86_64 GNU/Linux

┌──(kali㉿kali)-[~/Downloads/volatility2]
└─$ python2 vol.py -f memory.raw --profile=Linuxkali_5_18_0-kali5-amd64x64 linux_pslist
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
    main()
  File "vol.py", line 183, in main
    command.execute()
  File "/home/kali/Downloads/volatility2/volatility/plugins/linux/common.py", line 67, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/kali/Downloads/volatility2/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/home/kali/Downloads/volatility2/volatility/plugins/overlays/linux/linux.py", line 218, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/home/kali/Downloads/volatility2/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/home/kali/Downloads/volatility2/volatility/plugins/overlays/linux/linux.py", line 232, in reset
    self.load_vtypes()
  File "/home/kali/Downloads/volatility2/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/home/kali/Downloads/volatility2/volatility/dwarf.py", line 72, in __init__
    self.feed_line(line)
  File "/home/kali/Downloads/volatility2/volatility/dwarf.py", line 163, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/home/kali/Downloads/volatility2/volatility/dwarf.py", line 267, in process_statement
    d = data['DW_AT_data_member_location']
KeyError: 'DW_AT_data_member_location'