volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.37k stars 1.28k forks source link

Unable to analyze ARMv7 Linux memory dump with Volatility 2.6.1 #846

Closed Blue0fSky closed 1 year ago

Blue0fSky commented 1 year ago

I am trying to analyze a memory dump from an ARMv7 Linux system using Volatility 2.6.1. The system runs on kernel version 5.15.0.

I have also used qemu monitor to obtain the memory dump with the commands pmemsave or dump-guest-memory, which generated a 32-bit LSB core file, ARM, version 1 (SYSV), SVR4-style.

Since I don't have the /lib/modules/version/build directory on the machine, I have used the kernel source code to generate the module.dwarf file in the /volatility/tools/linux directory with the following commands:

make -C /path/to/kernel/source CONFIG_DEBUG_INFO=y M="$PWD" modules
dwarfdump -di module.ko >module.dwarf

I have also cross-compiled the kernel for ARM architecture in order to have the System.map file.

However, when I run Volatility to analyze the memory dump, I get the following error message:

$ python vol.py -d -f mem.img --profile=Linuxbusybox_armARM linux_pstree
No suitable address space mapping found
Tried to open image as:
....
IA32PagedMemoryPae - EXCEPTION: 'state'
IA32PagedMemory - EXCEPTION: 'state'
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace - EXCEPTION: 'state'

I have tested Volatility 3, but it doesn't support ARM architecture. I have verified that the kernel debug information is compiled with the same version of the kernel running on the embedded system.

It seems that the issue is specific to the ARM architecture.

Can anyone provide any suggestions on how to resolve this issue and analyze the memory dump successfully with Volatility 2.6.1 on an ARMv7 Linux system?

Thank you.