Open S1ddh1 opened 4 years ago
I think that PyCrypto is not installed in your environment. You can verify it by opening python 2.x in the shell and importing pycrypto. If it does not import successfully than it's missing and you have to install it. Successful import will look something like this:
E:\volatilityPy>python2
Python 2.7.13 (v2.7.13:a06454b1afa1, Dec 17 2016, 20:42:59) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import Crypto
>>>
To check for volatility dependencies, visit here
Thanks for the reply. PyCrypto is not installed but in the FAQ states that
If you are not using lsadump, hashdump or any other registry plugin that uses PyCrypto, then you can safely ignore the error message. Otherwise, install PyCrypto and the message will disappear.
Do you think I need to install it in order to get the address space recognize ?
From line#4 of the errors, I can infer that distorm3 is also not installed in your environment. Try running your plugin after installing distorm3. Hopefully it will resolve your issue.
Thanks for your advice. I've installed distorm3 et pycrypto but the error persists :
python2 vol.py --profile=LinuxGoldfish-3_4ARM -f ~/ram.dd -d -d -d linux_pslist
Volatility Foundation Volatility Framework 2.6.1
DEBUG : volatility.debug : Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.debug : Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
DEBUG : volatility.debug : Goldfish-3.4: Found dwarf file System.map with 460 symbols
DEBUG : volatility.debug : Goldfish-3.4: Found system file System.map with 1 symbols
DEBUG : volatility.debug : Applying modification from BashHashTypes
DEBUG : volatility.debug : Applying modification from BashTypes
DEBUG : volatility.debug : Applying modification from BasicObjectClasses
DEBUG : volatility.debug : Applying modification from ELF32Modification
DEBUG : volatility.debug : Applying modification from ELF64Modification
DEBUG : volatility.debug : Applying modification from ELFModification
DEBUG : volatility.debug : Applying modification from HPAKVTypes
DEBUG : volatility.debug : Applying modification from LimeTypes
DEBUG : volatility.debug : Applying modification from LinuxIDTTypes
DEBUG : volatility.debug : Applying modification from LinuxTruecryptModification
DEBUG : volatility.debug : Applying modification from MachoModification
DEBUG : volatility.debug : Applying modification from MachoTypes
DEBUG : volatility.debug : Applying modification from MbrObjectTypes
DEBUG : volatility.debug : Applying modification from VMwareVTypesModification
DEBUG : volatility.debug : Applying modification from VirtualBoxModification
DEBUG : volatility.debug : Applying modification from LinuxGate64Overlay
DEBUG : volatility.debug : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.debug : Applying modification from LinuxMountOverlay
DEBUG : volatility.debug : Applying modification from LinuxObjectClasses
DEBUG : volatility.debug : Applying modification from LinuxOverlay
Offset Name Pid PPid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7f6c614fcb50>
<class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x7D000020, instantiating lime_header
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f6c614fcb10>
<class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.debug : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.debug : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0x115001
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.debug : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating WindowsAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating LinuxAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.debug : Failed instantiating AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xffffffe0
DEBUG1 : volatility.debug : None object instantiated: Unable to read base AS at 0xfffffff8L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemoryPae: Failed valid Address Space check
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: Unable to read_long_phys at -0x1
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating IA32PagedMemory: Failed valid Address Space check
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.debug : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
DEBUG1 : volatility.debug : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x115001
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
WindowsAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
LinuxAMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
AMD64PagedMemory: Incompatible profile LinuxGoldfish-3_4ARM selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
One thing I am unable to understand is why you have passed -d flag three times in your command? I haven't seen this type of command before. You can also try the standalone executable of volatility to ensure that there is no issue of dependency. Best of luck 👍
The three -d flag allows to print the DEBUG1 information. It's the super verbose command.
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: Could not read_long_phys at offset -0x1L
DEBUG1 : volatility.debug : None object instantiated: No suggestions available
You don't have this with just the -v or -d flags.
I tried the standalone executable, same problem ... Thanks for your help !
Hello,
I tried to debug the code. Perhaps i can help by giving the information I gather.
First, we can see from the log that several address space are try to identify the dump.
It's done by the util.py:load_as:l41 function. The function is responsible for printing the error or success message.
44 for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
45 key = lambda x: x.order if hasattr(x, 'order') else 10):
46 debug.debug("Trying {0} ".format(cls))
47 try:
48 base_as = cls(base_as, config, astype = astype, **kwargs)
49 -> debug.debug("Succeeded instantiating {0}".format(base_as))
The first address space used is the standard one from standard.py. Here an handle, to the ram.dd file is gained.
Next the lime address space is recognized. At this point, the beginning of the file is read and the signature of the lime dump is verified
53 sig = base.read(0, 4)
54
55 ## ARM processors are bi-endian, but little is the default and currently
56 ## the only mode we support; unless it comes a common request.
57 -> if sig == '\x4c\x69\x4d\x45':
58 debug.debug("Big-endian ARM not supported, please submit a feature request")
59
60 self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
61
62 self.addr_cache = {}
(Pdb) sig.encode("hex")
'454d694c'
(Pdb) sig.encode("ascii")
'EMiL'
Then the parse_lime() function is called wich read the lime dump to search for the header (signature 4c694d45). My guess is that lime uses several segments to store the data and each segment are identified by a header. In volatility, the segments are stored in a tuple with the beginning, the end, and the size. Then the tuple are stored in the limeAddressSpace.runs list. The size of the header structure is 32 (0x20)
(Pdb) self
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f57902e7250>
(Pdb) self.runs
[]
(Pdb) type(self.runs)
<type 'list'>
(Pdb) seg
(0, 32, 2097152000L)
Here, we have only one big segment with one header. It's good because the size of the file is 2097152032 (2097152000 + 32).
Now, the pointer in the ram.dd points to the offset 16
(Pdb) self.base.fhandle.tell()
16
(Pdb) self.base.fhandle.read(4)
'\xff\xff\xff|'
Perhaps we should place the base address after the header at offset 0x20 ?
me@me:~/Documents/Android/androidKernel/android_module$ hexdump -C ~/ram.dd -n 40
00000000 45 4d 69 4c 01 00 00 00 00 00 00 00 00 00 00 00 |EMiL............|
00000010 ff ff ff 7c 00 00 00 00 00 00 00 00 00 00 00 00 |...|............|
00000020 01 50 11 00 02 50 11 00
After identifyng the lime address space the voting round in is restart from the beginning, as we can see in the log :
DEBUG : volatility.debug : Voting round
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.debug : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.debug : None object instantiated: Invalid Address 0x7D000020, instantiating lime_header
DEBUG : volatility.debug : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7ff11a25fed0>
<class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.debug : Voting round
We can print the class used as base address space
(Pdb) sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values())
[<class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>, <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>, <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.amd64.SkipDuplicatesAMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>, <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>, <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>, <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>, <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>, <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>, <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>, <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>, <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>, <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>, <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>, <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>, <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>, <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>, <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>]
Next, my guess is that the arm address space (addrspaces.arm.ArmAddressSpace) should be used.
There is 2 FIXME in the code of arm.py
$ grep -ni "FIXME" arm.py -A 3 -B 3
52-
53- def page_table_present(self, entry):
54- if entry:
55: return True # TODO FIXME
56- return False
57-
58- # Page Directory Index (1st Level Index)
--
159-
160- return pte_value
161-
162: # FIXME
163- # this is supposed to return all valid physical addresses based on the current dtb
164- # this (may?) be painful to write due to ARM's different page table types and having small & large pages inside of those
165- def get_available_pages(self):
With each iteration in the while loop in util.py:load_as:l41, the function increases the file pointer of ram.dd.
(Pdb) base_as.base.fhandle.tell()
36
We step in the debug session until the arm address space and we arrived in page.py
DEBUG : volatility.debug : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/utils.py(47)load_as()
-> try:
(Pdb)
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/utils.py(48)load_as()
-> base_as = cls(base_as, config, astype = astype, **kwargs)
(Pdb) base_as
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7f552304e8d0>
(Pdb) s
--Call--
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(31)__init__()
-> def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
(Pdb) l
26
27 Note: Pages can be of any size
28 """
29 checkname = "Intel"
30
31 -> def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
32 ## We must be stacked on someone else:
33 self.as_assert(base, "No base Address Space")
34
35 addrspace.AbstractVirtualAddressSpace.__init__(self, base, config, *args, **kwargs)
36
At this point, the pointer in the ram.dd file is in offset 38 which don't make any sense
(Pdb) base.base.fhandle.tell()
38
$ hexdump -C -s 38 ~/ram.dd -n 40
00000026 11 00 03 50 11 00 04 50 11 00 05 50 11 00 06 50 |...P...P...P...P|
00000036 11 00 07 50 11 00 08 50 11 00 09 50 11 00 0a 50 |...P...P...P...P|
00000046 11 00 0b 50 11 00 0c 50 |...P...P|
0000004e
So back in page.py, load_dtb() is called
def load_dtb(self):
"""Loads the DTB as quickly as possible from the config, then the base, then searching for it"""
try:
# If the user has manually specified one, then shortcircuit to that one
if self._config.DTB:
raise AttributeError
## Try to be lazy and see if someone else found dtb for
## us:
return self.base.dtb
except AttributeError:
## Ok so we need to find our dtb ourselves:
dtb = obj.VolMagic(self.base).DTB.v()
if dtb:
## Make sure to save dtb for other AS's
## Will this have an effect on following ASes attempts if this fails?
self.base.dtb = dtb
return dtb
I don't know what a DTB is. A Device Tree Blob perharps ?
Th DTB value in the _config object is 0
(Pdb) self._config.DTB
0
(Pdb) n
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(43)__init__()
-> self.as_assert(self.dtb != None, "No valid DTB found")
Then the attribute is missing so we got the error message
(Pdb) volmag
[VOLATILITY_MAGIC VOLATILITY_MAGIC] @ 0x00000000
(Pdb) self.checkname
'ArmValidAS'
(Pdb) n
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(48)__init__()
-> self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
(Pdb) n
ASAssertionError: ASAssert... check',)
> /home/me/Documents/Android/androidKernel/android_module/android-volatility/volatility/plugins/addrspaces/paged.py(48)__init__()
-> self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
I don't understand this check from volatility/obj.py VolMagic()
if not skip_as_check:
volmag = obj.VolMagic(self)
if hasattr(volmag, self.checkname):
self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
else:
self.as_assert(False, "Profile does not have valid Address Space check")
(Pdb) self.checkname
'ArmValidAS'
then volatility exit.
This checkname should comes from arm.py which is called at the start of volatilty by the registry.py module.
grep -ni "ArmValidAS" * -A 3 -B 3
arm.py-31- order = 800
arm.py-32- pae = False
arm.py-33- paging_address_space = True
arm.py:34: checkname = 'ArmValidAS'
arm.py-35- minimum_size = 0x1000
arm.py-36- alignment_gcd = 0x1000
arm.py-37- _long_struct = struct.Struct("<I")
Binary file arm.pyc matches
There's a lot of going on there. So i'm not able to understand where the problem comes from ! For some reason, the lime dump is correctly recognize but the arm address space is not.
Could you please repeat the acquisition process with the following added before running Lime:
1) copy /proc/iomem to a file 2) copy /proc/kallsyms to a file
Then run lime and upload a zip with the sample + the 2 files above. This will help me debug better.
I am not sure if there has been a fix to this issue? The issue still persists on arm_4_15_0-1065 architecture. Can someone please help/update on recent progress?
Hello,
I'm trying to analyse a dump from an android emulator. I followed the steps described here : https://github.com/volatilityfoundation/volatility/wiki/Android
The goldfish kernel is 3.4 armv7 Lime : https://github.com/504ensicsLabs/LiME emulator from android sdk 25.1.6 volatility 2.6
I got the following error :
We can see from the debug information that the FileAddressSpace and LimeAddressSpace are correctly found but not the ArmAddressSpace resulting in the final error : No suitable address space mapping found.
The dump realised by Lime seems correct
as the dwarfdump and the System.map
In volatility 2.4, I have another error : Failed instantiating ArmAddressSpace: Can not stack over another paging address space: None object instantiated: Pointer next invalid
I downloaded samples from here https://www.memoryanalysis.net/amf. There is a linux ARM64 dump there but i've got similar issues with symbols
similar issues : https://github.com/volatilityfoundation/volatility/issues/486 https://github.com/volatilityfoundation/volatility/issues/503 https://github.com/volatilityfoundation/volatility/issues/330 https://github.com/volatilityfoundation/volatility/issues/381 https://github.com/volatilityfoundation/volatility/issues/413 https://github.com/volatilityfoundation/volatility/issues/417
The files and the dump that I used can be downloaded here : https://www.dropbox.com/s/7edntg68eo2eoxp/goldfish_dump_and_files.zip?dl=0
It's a zip file containing :
Thanks