search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.04k stars 1.26k forks source link

Profile creation failed (MacOS Monterey 12.6 build 21G115) #832

Open Lowengrube opened 1 year ago

Lowengrube commented 1 year ago

Hey there, so currently i'm facing problem in using Volatility to analyse the ram dump file from macOS Monterey 12.6 build 21G115, I hadn’t successfully created the profile for that OS version:

I successfully created dwarfdump and symbol.dsymutil files:

sudo dwarfdump -arch x86_64 /Library/Developer/KDKs/KDK_12.6_21G115.kdk/System/Library/Kernels/kernel.dSYM > 12.6_x64.dwarfdump
sudo dsymutil -s -arch x86_64 /Library/Developer/KDKs/KDK_12.6_21G115.kdk/System/Library/Kernels/kernel > 126.64bit.symbol.dsymutil

After that I was trying to convert the 12.6_x64.dwarfdump: python tools/mac/convert.py ./12.6_x64.dwarfdump ./converted-10.12.3_x64.dwarfdump

converting file
State machine broken! level 0! /Library/Developer/KDKs/KDK_12.6_21G115.kdk/System/Library/Kernels/kernel.dSYM/Contents/Resources/DWARF/kernel:  file format Mach-O 64-bit x86-64

Could you please help me?