search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.42k stars 396 forks source link

Volatility 3 shows no results on my android Memory dump #1117

Closed yassine955 closed 3 months ago

yassine955 commented 4 months ago

Thank you for taking your time to read this!

I am using a android emulator to create a memory dump, in order for me to create a profile in volatility and then analyze the memory dump. Device: Pixel 7, API:31, Android: 12, ARCH=x86_64

So the first step in the android emulator, is to create a snapshot of the device. Then in the snapshot folder, you will see a file called ram.bin. Then I looked at the /proc/version, and this is the output Linux version 5.10.66-android12-9-00041-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021.

The next step is to get the kernel source code, by checking out on commit fa9c9074531e. I then looked up for the Clang compiler, which is r416183b.

Kernel source code: https://android.googlesource.com/kernel/common/+/fa9c9074531e Android/Clang compiler: https://android.googlesource.com/platform//prebuilts/clang/host/linux-x86/+/b669748458572622ed716407611633c5415da25c/clang-r416183b/.

From this point on, I created a bash script, with the following content:

#!/bin/bash
# Clean the previous build
make mrproper
make clean

# Source the build configuration
source build.config.allmodconfig.x86_64

# Apply the defconfig
make O=out defconfig ARCH=x86_64

cp ~/Desktop/.config out/.config # I retrieved this config file from /proc/config.gz (to be extra sure that the right config file is used. I saved it local on Desktop not to lose it)

# Set the build user and host and then build the kernel
make O=out CONFIG_DEBUG_INFO=y CC=clang AR=llvm-ar NM=llvm-nm LD=ld.lld OBJCOPY=llvm-objcopy \
OBJDUMP=llvm-objdump READELF=llvm-readelf OBJSIZE=llvm-size STRIP=llvm-strip HOSTCC=clang \
HOSTCXX=clang++ -j$(nproc --all) ARCH=x86_64 CLANG_TRIPLE=x86-64-linux-gnu-

I know that clang, llvm-ar, ld.lld .... are present in the compiler bin folder, and I already placed them in my PATH.

It starts compiling, and it doesn't crash or anything, it will result giving me the following files I need: vmlinux, System.map and arch/x86/boot/bzImage

When I check the Linux version present in the vmlinux file, by using strings out/vmlinux | grep "Linux version" it results in Linux version 5.10.66-android12-9-00041-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021

As you can see, the same values and information as the /proc/version.

After this, I create a ISF file with dwarf2json, by doing ./dwarf2json linux --elf [path to vmlinux] --system-map [path to System.map] > [export_name].json. I then place it inside the volatility 3 Symbols/linux folder. I then do vol.py isfinfo, it results the profile, with the exact name of the /proc/version.

Then I scan the ram.bin file, with linux.pslist, and this is the result:

Volatility 3 Framework 2.6.1
INFO     volatility3.cli: Volatility plugins path: ['/home/yassine/volatility3/volatility3/plugins', '/home/yassine/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/yassine/volatility3/volatility3/symbols', '/home/yassine/volatility3/volatility3/framework/symbols']
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/yassine/volatility3/volatility3/framework/plugins/yarascan.py
INFO     volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.verinfo based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/verinfo.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
INFO     volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/netscan.py", line 17, in <module>
    from volatility3.plugins.windows import info, poolscanner, verinfo
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.netscan based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/netscan.py
INFO     volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/netstat.py", line 15, in <module>
    from volatility3.plugins.windows import netscan, modules, info, verinfo
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/netscan.py", line 17, in <module>
    from volatility3.plugins.windows import info, poolscanner, verinfo
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/verinfo.py", line 21, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.netstat based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/netstat.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/skeleton_key_check.py", line 18, in <module>
    import pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.skeleton_key_check based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/skeleton_key_check.py
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/iat.py", line 4, in <module>
    import logging, io, pefile
ModuleNotFoundError: No module named 'pefile'

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.iat based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/iat.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in <module>
    from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/svcscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/mftscan.py", line 13, in <module>
    from volatility3.plugins import timeliner, yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/mftscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/linux/vmayarascan.py", line 10, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.linux.vmayarascan based on file: /home/yassine/volatility3/volatility3/framework/plugins/linux/vmayarascan.py
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.iat, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.netscan, volatility3.plugins.windows.netstat, volatility3.plugins.windows.skeleton_key_check, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.windows.verinfo, volatility3.plugins.yarascan
INFO     volatility3.framework.automagic: Detected a linux category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.10.66-android12-9-00041-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021\n\x00'
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_ct_event_notifier
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!nf_exp_event_notifier
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mem_cgroup
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!xdp_dev_bulk_queue
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!btf
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!bpf_offload_dev
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!bpf_cgroup_storage
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!gpio_desc
DEBUG    volatility3.framework.automagic.linux: Scanners could not determine any ASLR shifts, using 0 for both
DEBUG    volatility3.framework.automagic.linux: DTB was found at: 0x38e0c000
Level 8  volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 1930867319
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder  
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.10.66-android12-9-00041-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021\n\x00'
DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/yassine/volatility3/volatility3/symbols/linux/new-version.json
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
INFO     volatility3.framework.automagic: Running automagic: KernelModule

OFFSET (V)  PID TID PPID    COMM    File output
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_ct_event_notifier
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!nf_exp_event_notifier
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mem_cgroup
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!xdp_dev_bulk_queue
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!btf
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!bpf_offload_dev
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!bpf_cgroup_storage
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!gpio_desc

I already checked the differences between System.map and the cat /proc/kallsyms. They are different, and I really have no clue what to do at this point.

ikelos commented 4 months ago

Hiya, volatility uses the System.map to locate certain landmarks within memory, if the /proc/kallsyms off the system you're trying to investigate differs from the System.map, that suggests volatility will get the wrong landmarks. Bear in mind that /proc/kallsyms will return a) nothing if you're not root and b) it'll return the addresses as loaded by KASLR, so may well not match the System.map values. The fact that they came out different suggests, ASLR may have been in use, but volatility couldn't find it (Scanners could not determine any ASLR shifts, using 0 for both). You could try using volshell to see whether you can map through to pages you expect, find the initial process and see whether the structure is where it's supposed to be? It sounds like it won't be, but the data being read wasn't far enough wrong to make volatility throw an exception. It's difficult to diagnose the issue more I'm afraid...

yassine955 commented 4 months ago

True, kallsyms returns 000000000000 so I turned of kptr_restrict by doing echo 0 > /proc/sys/kernel/kptr_restrict.

Could it be the case that my ram.bin file is not correct, or that LiME should be used? And if so, how would you do it?

eve-mem commented 4 months ago

Small note re reading kallsyms, you'll need to run as root. A normal user gets 0s like that.

yassine955 commented 3 months ago

I took a prebuilt vmlinux file and System.map. Generated the profile, and loaded the emulator with the bzimage kernel.

Still no results. @eve-mem I saw that you spoke about raw memory dumps, and that there is an issue, could this maybe apply to the ram.bin file I am using?

yassine955 commented 3 months ago

@eve-mem I made a dump on task manager/windows, it created a DMP file.

└─>>> python3 vol.py -vvvvvvv -f ~/Downloads/qmu.DMP linux.lsof
Volatility 3 Framework 2.7.0
INFO     volatility3.cli: Volatility plugins path: ['/home/yassine/Desktop/volatility3/volatility3/plugins', '/home/yassine/Desktop/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/yassine/Desktop/volatility3/volatility3/symbols', '/home/yassine/Desktop/volatility3/volatility3/framework/symbols']
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/plugins, /home/yassine/Desktop/volatility3/volatility3/framework/plugins
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/Desktop/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/yassine/Desktop/volatility3/volatility3/framework/plugins/yarascan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/Desktop/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in <module>
    from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/yassine/Desktop/volatility3/volatility3/framework/plugins/windows/svcscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/Desktop/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/yassine/Desktop/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/Desktop/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/windows/mftscan.py", line 13, in <module>
    from volatility3.plugins import timeliner, yarascan
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /home/yassine/Desktop/volatility3/volatility3/framework/plugins/windows/mftscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/Desktop/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/linux/vmayarascan.py", line 10, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/Desktop/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.linux.vmayarascan based on file: /home/yassine/Desktop/volatility3/volatility3/framework/plugins/linux/vmayarascan.py
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/automagic
DETAIL 3 volatility3.cli: Cache directory used: /home/yassine/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/yassine/Desktop/volatility3/volatility3/symbols, /home/yassine/Desktop/volatility3/volatility3/framework/symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler, LeechCoreHandler
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x504d444d at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x504d444d at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x504d444d at file offset 0x0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Bad signature 0x504d444d at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.10.66-android12-9-00223-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021\n\x00'
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!dev_iommu
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG    volatility3.framework.automagic.linux: Scanners could not determine any ASLR shifts, using 0 for both
DEBUG    volatility3.framework.automagic.linux: DTB was found at: 0x3a0c000
DETAIL 2 volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Crashdump header not found at offset 0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsof.kernel.layer_name.memory_layer
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsof
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DETAIL 4 volatility3.framework: Importing from the following paths: /home/yassine/Desktop/volatility3/volatility3/framework/layers
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 4395016033
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder  
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsof.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.10.66-android12-9-00223-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021\n\x00'
DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/yassine/Desktop/volatility3/volatility3/symbols/linux/export.json
INFO     volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 3 volatility3.cli.text_filter: Filters:
[]

PID Process FD  Path
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dev_iommu
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control

Could it be: DEBUG volatility3.framework.automagic.linux: Scanners could not determine any ASLR shifts, using 0 for both ?

eve-mem commented 3 months ago

If the dump was created with lime, and the raw format was used, then yes this will affect the results. It does have a similar effect like you're seeing here.

yassine955 commented 3 months ago

This dump was not created with LiME, but with the built in snapshot function of android studio. Inside the snapshot folder, you will find a ram.bin file

eve-mem commented 3 months ago

Sorry - I somehow missed that even though you've clearly said that in the first post. I'm not sure how android studio works - It's not something I've used before. How exactly did you make the snapshot, could you point us to the command in an online manual perhaps?

The logs show the sample is 4395016033 bytes - which is in the region of 4GB. Does this sound correct for your sample? e.g. around 4GB of ram for the vm? (assuming that it works by making VMs?)

If you're able to run sudo cat /proc/iomem we'd be able to see the physical mappings of memory and compare that to the sample you have.

(Also calling @Abyss-W4tcher - I know you've done some emulation bits for the ARM work, maybe this is more familiar to you?)

Abyss-W4tcher commented 3 months ago

Hello,

Using the following method : adb emu avd snapshot save ram.bin resulted in erronous memory samples on my end too. I think this is what happens here...

Here is how I was able to dump memory consistently :

https://github.com/microsoft/avml/issues/28#issuecomment-1907653765

As this is x86_64, author should directly try to fetch a release version of avml and run it through adb.

yassine955 commented 3 months ago

@eve I never used the terminal to create a memory dump. When starting up the emulator, you can open the GUI, and see snapshots tab, then make a snapshot. This will create a folder in your avd, with the ram.bin file

yassine955 commented 3 months ago

@Abyss-W4tcher I do no understand your post, can you elaborate in detail

yassine955 commented 3 months ago

@Abyss-W4tcher I opened my emulator, and then typed adb emu avd snapshot save latest_snapshot. Before I opened my emulator I started the emulator with -kernel xxx -no-snapshot-load -show-kernel.

I already made a profile for volatility 3, and did vol.py -f xxx banners on the ram dump, and it gave me this.

Linux version 5.10.66-android12-9-00223-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021

My volatility 3 profile is:

Linux version 5.10.66-android12-9-00223-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021\n\x00

I then do python3 vol.py -f ~/.android/avd/mobile12.avd/snapshots/latest_snapshot/ram.bin linux.pslist.

And nothing happends.

└─>>> python3 vol.py -vvvvvvv -f ~/.android/avd/mobile12.avd/snapshots/latest_snapshot/ram.bin linux.pslist
Volatility 3 Framework 2.5.2
INFO     volatility3.cli: Volatility plugins path: ['/home/yassine/volatility3/volatility3/plugins', '/home/yassine/volatility3/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/home/yassine/volatility3/volatility3/symbols', '/home/yassine/volatility3/volatility3/framework/symbols']
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/plugins, /home/yassine/volatility3/volatility3/framework/plugins
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.yarascan based on file: /home/yassine/volatility3/volatility3/framework/plugins/yarascan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/svcscan.py", line 23, in <module>
    from volatility3.plugins.windows import poolscanner, pslist, vadyarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.svcscan based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/svcscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/vadyarascan.py", line 11, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.vadyarascan based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/vadyarascan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/windows/mftscan.py", line 13, in <module>
    from volatility3.plugins import timeliner, yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.windows.mftscan based on file: /home/yassine/volatility3/volatility3/framework/plugins/windows/mftscan.py
INFO     volatility3.plugins.yarascan: Python Yara (>3.8.0) module not found, plugin (and dependent plugins) not available
DEBUG    volatility3.framework: Traceback (most recent call last):
  File "/home/yassine/volatility3/volatility3/framework/__init__.py", line 185, in import_file
    importlib.import_module(module)
  File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1050, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1027, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 688, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 883, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/home/yassine/volatility3/volatility3/framework/plugins/linux/vmayarascan.py", line 10, in <module>
    from volatility3.plugins import yarascan
  File "/home/yassine/volatility3/volatility3/framework/plugins/yarascan.py", line 20, in <module>
    raise ImportError
ImportError

DEBUG    volatility3.framework: Failed to import module volatility3.plugins.linux.vmayarascan based on file: /home/yassine/volatility3/volatility3/framework/plugins/linux/vmayarascan.py
INFO     volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.linux.vmayarascan, volatility3.plugins.windows.mftscan, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/automagic
Level 7  volatility3.cli: Cache directory used: /home/yassine/.cache/volatility3
INFO     volatility3.framework.automagic: Detected a linux category plugin
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework.automagic.construct_layers: Construction Exception occurred: Unexpected config value found: None
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
INFO     volatility3.framework.automagic: Running automagic: SymbolCacheMagic
Level 6  volatility3.framework.symbols.intermed: Searching for symbols in /home/yassine/volatility3/volatility3/symbols, /home/yassine/volatility3/volatility3/framework/symbols
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 7  volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler, LeechCoreHandler
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Bad magic 0x0 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Bad magic 0x0 at file offset 0x0
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LinuxIntelStacker
DEBUG    volatility3.framework.automagic.linux: Identified banner: b'Linux version 5.10.66-android12-9-00223-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021\n\x00'
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!dev_iommu
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: LintelStacker1!reset_control
DEBUG    volatility3.framework.automagic.linux: Scanners could not determine any ASLR shifts, using 0 for both
DEBUG    volatility3.framework.automagic.linux: DTB was found at: 0x3a0c000
Level 8  volatility3.framework.automagic.stacker: Stacked IntelLayer using LinuxIntelStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
Level 6  volatility3.framework.layers.xen: Exception: Offset 0x0 does not exist within the base layer
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8  volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.PsList.kernel.layer_name.memory_layer
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.PsList
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
Level 6  volatility3.framework: Importing from the following paths: /home/yassine/volatility3/volatility3/framework/layers
DEBUG    volatility3.framework.automagic.stacker: physical_layer maximum_address: 2047051537
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder  
INFO     volatility3.framework.automagic: Running automagic: LinuxSymbolFinder
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.PsList.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 5.10.66-android12-9-00223-gfa9c9074531e-ab7914766 (build-user@build-host) (Android (7284624, based on r416183b) clang version 12.0.5 (https://android.googlesource.com/toolchain/llvm-project c935d99d7cf2016289302412d708641d52d2f7ee), LLD 12.0.5 (/buildbot/src/android/llvm-toolchain/out/llvm-project/lld c935d99d7cf2016289302412d708641d52d2f7ee)) #1 SMP PREEMPT Fri Nov 12 11:36:25 UTC 2021\n\x00'
DEBUG    volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/yassine/volatility3/volatility3/symbols/linux/export.json
INFO     volatility3.framework.automagic: Running automagic: KernelModule

OFFSET (V)  PID TID PPID    COMM    File output
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dev_iommu
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp_bus
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!reset_control

The new Ram dump is 2gb

@eve-mem

This is the output of iomem:

└─>>> adb shell
emulator64_x86_64_arm64:/ $ su
emulator64_x86_64_arm64:/ # cat /proc/iomem
00000000-00000fff : Reserved
00001000-0009fbff : System RAM
0009fc00-0009ffff : Reserved
000a0000-000bffff : PCI Bus 0000:00
000c0000-000c0dff : Video ROM
000f0000-000fffff : Reserved
  000f0000-000fffff : System ROM
00100000-7ffd3fff : System RAM
  75200000-76e04bb9 : Kernel code
  77000000-77a56fff : Kernel rodata
  77c00000-77debabf : Kernel data
  77fc2000-781fffff : Kernel bss
7ffd4000-7fffffff : Reserved
80000000-febfffff : PCI Bus 0000:00
  feb80000-febbffff : 0000:00:09.0
  febc0000-febc3fff : 0000:00:02.0
    febc0000-febc3fff : ICH HD audio
  febc4000-febc4fff : 0000:00:03.0
  febc5000-febc5fff : 0000:00:04.0
  febc6000-febc6fff : 0000:00:05.0
  febc7000-febc7fff : 0000:00:06.0
  febc8000-febc8fff : 0000:00:07.0
  febc9000-febc9fff : 0000:00:08.0
  febca000-febcafff : 0000:00:09.0
  febcb000-febcbfff : 0000:00:0a.0
  febcc000-febccfff : 0000:00:0b.0
    febcc000-febccfff : Address space control
  febcd000-febcdfff : 0000:00:0c.0
  febce000-febcefff : 0000:00:0e.0
  febcf000-febcffff : 0000:00:0f.0
  febd0000-febd0fff : 0000:00:10.0
  febd1000-febd1fff : 0000:00:11.0
  febd2000-febd2fff : 0000:00:12.0
  febd3000-febd3fff : 0000:00:13.0
  febd4000-febd4fff : 0000:00:14.0
  febd5000-febd5fff : 0000:00:15.0
  febd6000-febd6fff : 0000:00:16.0
  febd7000-febd7fff : 0000:00:17.0
  febd8000-febd8fff : 0000:00:18.0
  febd9000-febd9fff : 0000:00:19.0
  febda000-febdafff : 0000:00:1a.0
  febdb000-febdbfff : 0000:00:1b.0
fec00000-fec003ff : IOAPIC 0
fed00000-fed003ff : HPET 0
  fed00000-fed003ff : PNP0103:00
fee00000-fee00fff : Local APIC
feffc000-feffffff : Reserved
ff001000-ff002fff : GFSH0003:00
ff010000-ff010fff : GFSH0001:00
ff011000-ff011fff : GFSH0002:00
ff012000-ff0120ff : GFSH0004:00
ff013000-ff0130ff : GFSH0005:00
ff014000-ff015fff : GFSH0006:00
ff016000-ff016fff : GFSH0007:00
ff017000-ff017fff : GFSH0008:00
ff018000-ff027fff : Reserved
  ff018000-ff018fff : ramoops:dmesg(0/12)
  ff019000-ff019fff : ramoops:dmesg(1/12)
  ff01a000-ff01afff : ramoops:dmesg(2/12)
  ff01b000-ff01bfff : ramoops:dmesg(3/12)
  ff01c000-ff01cfff : ramoops:dmesg(4/12)
  ff01d000-ff01dfff : ramoops:dmesg(5/12)
  ff01e000-ff01efff : ramoops:dmesg(6/12)
  ff01f000-ff01ffff : ramoops:dmesg(7/12)
  ff020000-ff020fff : ramoops:dmesg(8/12)
  ff021000-ff021fff : ramoops:dmesg(9/12)
  ff022000-ff022fff : ramoops:dmesg(10/12)
  ff023000-ff023fff : ramoops:dmesg(11/12)
  ff024000-ff024fff : ramoops:dmesg(12/12)
  ff025000-ff025fff : ramoops:console
  ff026000-ff0263ff : ramoops:ftrace(0/3)
  ff026400-ff0267ff : ramoops:ftrace(1/3)
  ff026800-ff026bff : ramoops:ftrace(2/3)
  ff026c00-ff026fff : ramoops:ftrace(3/3)
  ff027000-ff027fff : ramoops:pmsg
fffc0000-ffffffff : Reserved
400000000-80005bfff : PCI Bus 0000:00
  400000000-7ffffffff : 0000:00:0b.0
    400000000-7ffffffff : Address space area
  800000000-800003fff : 0000:00:03.0
    800000000-800003fff : virtio-pci-modern
  800004000-800007fff : 0000:00:04.0
    800004000-800007fff : virtio-pci-modern
  800008000-80000bfff : 0000:00:05.0
    800008000-80000bfff : virtio-pci-modern
  80000c000-80000ffff : 0000:00:06.0
    80000c000-80000ffff : virtio-pci-modern
  800010000-800013fff : 0000:00:07.0
    800010000-800013fff : virtio-pci-modern
  800014000-800017fff : 0000:00:08.0
    800014000-800017fff : virtio-pci-modern
  800018000-80001bfff : 0000:00:09.0
    800018000-80001bfff : virtio-pci-modern
  80001c000-80001ffff : 0000:00:0a.0
    80001c000-80001ffff : virtio-pci-modern
  800020000-800023fff : 0000:00:0c.0
    800020000-800023fff : virtio-pci-modern
  800024000-800027fff : 0000:00:0d.0
    800024000-800027fff : virtio-pci-modern
  800028000-80002bfff : 0000:00:0e.0
    800028000-80002bfff : virtio-pci-modern
  80002c000-80002ffff : 0000:00:0f.0
    80002c000-80002ffff : virtio-pci-modern
  800030000-800033fff : 0000:00:10.0
    800030000-800033fff : virtio-pci-modern
  800034000-800037fff : 0000:00:11.0
    800034000-800037fff : virtio-pci-modern
  800038000-80003bfff : 0000:00:12.0
    800038000-80003bfff : virtio-pci-modern
  80003c000-80003ffff : 0000:00:13.0
    80003c000-80003ffff : virtio-pci-modern
  800040000-800043fff : 0000:00:14.0
    800040000-800043fff : virtio-pci-modern
  800044000-800047fff : 0000:00:15.0
    800044000-800047fff : virtio-pci-modern
  800048000-80004bfff : 0000:00:16.0
    800048000-80004bfff : virtio-pci-modern
  80004c000-80004ffff : 0000:00:17.0
    80004c000-80004ffff : virtio-pci-modern
  800050000-800053fff : 0000:00:18.0
    800050000-800053fff : virtio-pci-modern
  800054000-800057fff : 0000:00:19.0
    800054000-800057fff : virtio-pci-modern
  800058000-80005bfff : 0000:00:1b.0
    800058000-80005bfff : virtio-pci-modern
emulator64_x86_64_arm64:/ #
Abyss-W4tcher commented 3 months ago

@Abyss-W4tcher I do no understand your post, can you elaborate in detail

The snapshot function you are using, either through the graphical tool or via terminal, is giving incorrect memory samples, which cannot be correctly processed with Volatility3.

I suggest you to try a tool named avml, available here : https://github.com/microsoft/avml. Here is how you can do it : 

# Download the avml tool
wget https://github.com/microsoft/avml/releases/download/v0.13.0/avml
# Set adb to root
adb root 
# Transfer avml to the x86_64 android emulator, do the memory capture and extract it back to your host
adb push avml /data/local/tmp/
adb shell 'chmod +x /data/local/tmp/avml'
adb shell '/data/local/tmp/avml /data/local/tmp/avml_dump.lime'
adb pull /data/local/tmp/avml_dump.lime .

I cannot guarantee this is going to work with a finger snap, and if you need more details feel free to ask.

yassine955 commented 3 months ago

I tried this, but the adb shell '/data/local/tmp/avml /data/local/tmp/avml_dump.lime'.

Gives me this:

Error: error: unable to read memory
caused by:
    0: unable to create memory snapshot:     
        error: unable to create memory snapshot from source: /dev/crash
        caused by:
            0: unable to create memory snapshot
            1: unable to read memory
            2: No such file or directory (os error 2)

        error: unable to create memory snapshot from source: /proc/kcore
        caused by:
            0: locked down /proc/kcore

        error: unable to create memory snapshot from source: /dev/mem
        caused by:
            0: unable to create memory snapshot
            1: unable to read memory
            2: No such file or directory (os error 2)
yassine955 commented 3 months ago

/dev/crash file is not found /proc/kcore: No such file or directory /dev/mem: No such file or directory

I am using android 12, maybe use older version?

yassine955 commented 3 months ago

I also saw that AVML doesn't like kernel_lockdown, I have to disable that first

Abyss-W4tcher commented 3 months ago

locked down /proc/kcore

I saw that too, it might not be straightforward/safe to disable...

There is another tool called LiME, but I am not sure that it will compile with latest Android CLANG toolchains.

yassine955 commented 3 months ago

@Abyss-W4tcher I am using bazel to compile the android kernel. I am going to change the .config to disable kernel_lockdown

Abyss-W4tcher commented 3 months ago

FYI, another alternative, maybe safer, is to activate https://cateee.net/lkddb/web-lkddb/DEVMEM.html and disabling https://cateee.net/lkddb/web-lkddb/HARDENED_USERCOPY.html in the kernel config.

This way, the "/dev/mem" device will be accessible to AVML.

yassine955 commented 3 months ago

@Abyss-W4tcher I will try that! But is it a condition that all of them need to be available?

Abyss-W4tcher commented 3 months ago

You only need one device to be available. "/dev/mem" was proven to work well.

However, kernel_lockdown seems to lock it as well : 

       When lockdown is in effect, a number of features are disabled or
       have their use restricted.  This includes special device files
       and kernel services that allow direct access of the kernel image:

              /dev/mem
              /dev/kmem
              /dev/kcore
              /dev/ioports
              BPF
              kprobes

So, I think you can just go with /dev/kcore by disabling kernel_lockdown.

yassine955 commented 3 months ago

@Abyss-W4tcher The problem with LiME is the following. I am compiling the kernel with repo. I'm specifically using bazel, and it's hard or maybe impossible to combine that with LiME.

Abyss-W4tcher commented 3 months ago

I managed to edit the Makefile, to compile with other toolchains, but it wasn't stable, and with avml it's way simpler (assuming you have the devices accessible). LiME isn't maintained anymore unfortunately...

yassine955 commented 3 months ago

@Abyss-W4tcher I have a question. If I build the kernel. How can I then start the emulator. I tried -kernel bzImage. But it doesn't boot. I heard that I also need the ramdisk.img, or else the kernel won't work?

Abyss-W4tcher commented 3 months ago

-kernel arch/x86_64/boot/Image should work yes

yassine955 commented 3 months ago

The problem is that I only have bzImage. The kernel is not corresponding with the current emulator. So the ramdisk needs to be updated.

Abyss-W4tcher commented 3 months ago

I also had issue when compiling recent Android kernels, and the documentation is outdated (even 4 years back : https://stackoverflow.com/questions/59799980/compile-avd-kernel-for-memory-forensics-with-lime).

Abyss-W4tcher commented 3 months ago

Do you have more debug output of the emulator ? Running with -show-kernel and -verbose ?

yassine955 commented 3 months ago

So I tried emulator @mobile13 -kernel bzImage -show-kernel -no-snapshot-load -verbose

  1. The emulator starts up (and shows grey-screen)
  2. Then in the terminal it is looping this part:
   10.911797] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[   10.914885] Call Trace:
[   10.915869]  <TASK>
[   10.916419]  panic+0x13f/0x34b
[   10.917220]  do_exit+0xbf9/0xd70
[   10.918039]  do_group_exit+0xbf/0xd0
[   10.918949]  __x64_sys_exit_group+0x12/0x20
[   10.919711]  do_syscall_64+0x43/0x90
[   10.920335]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   10.921191] RIP: 0033:0x490997
[   10.921725] Code: 1f 40 00 b8 22 01 00 00 0f 05 48 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 28 e8 ff ff c3 0f 1f 80 00 00 00 00 b8 e7 00 00 00 0f 05 <48> 3d 01 f0 ff ff 72 09 f7 d8 89 c7 e8 08 e8 ff ff c3 0f 1f 80 00
[   10.924881] RSP: 002b:00007ffedc7d7798 EFLAGS: 00000217 ORIG_RAX: 00000000000000e7
[   10.926154] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000490997
[   10.927354] RDX: 0000000000000006 RSI: 0000000000000001 RDI: 000000000000007f
[   10.928550] RBP: 00007ffedc7d79d0 R08: 00000000004b10c0 R09: 00000000004b10c0
[   10.929740] R10: 00007ffedc7d77b0 R11: 0000000000000217 R12: 00007f5147553190
[   10.930565] R13: 000000000020c900 R14: 0000000000000001 R15: 0000000000000001
[   10.931406]  </TASK>
[   10.931796] Kernel Offset: 0x14e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
DEBUG   | VirtIO WiFi: unexpected full virtqueue (10x)
DEBUG   | No acpi ini file provided, using default
[    0.000000] Linux version 5.15.144-maybe-dirty (build-user@build-host) (Android (8508608, based on r450784e) clang version 14.0.7 (https://android.googlesource.com/toolchain/llvm-project 4c603efb0cca074e9238af8b4106c30add4418f6), LLD 14.0.7) #1 SMP PREEMPT Thu Jan 1 00:00:00 UTC 1970
[    0.000000] Command line: no_timer_check 8250.nr_uarts=1 clocksource=pit console=ttyS0,38400 cma=296M@0-4G loop.max_part=7 ramoops.mem_address=0xff018000 ramoops.mem_size=0x10000 memmap=0x10000$0xff018000 printk.devkmsg=on bootconfig mac80211_hwsim.radios=0
[    0.000000] BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007ffd3fff] usable
[    0.000000] BIOS-e820: [mem 0x000000007ffd4000-0x000000007fffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
[    0.000000] Stack Depot is disabled
[    0.000000] NX (Execute Disable) protection: active
[    0.000000] user-defined physical RAM map:
[    0.000000] user: [mem 0x0000000000000000-0x000000000009fbff] usable
[    0.000000] user: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[    0.000000] user: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[    0.000000] user: [mem 0x0000000000100000-0x000000007ffd3fff] usable
[    0.000000] user: [mem 0x000000007ffd4000-0x000000007fffffff] reserved
[    0.000000] user: [mem 0x00000000feffc000-0x00000000feffffff] reserved
[    0.000000] user: [mem 0x00000000ff018000-0x00000000ff027fff] reserved
[    0.000000] user: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
[    0.000000] SMBIOS 2.8 present.
[    0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
[    0.000000] Hypervisor detected: KVM
[    0.000000] kvm-clock: Using msrs 4b564d01 and 4b564d00
[    0.000000] kvm-clock: cpu 0, msr 5afce001, primary cpu clock
[    0.000035] kvm-clock: using sched offset of 23420388770 cycles
[    0.000039] clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
[    0.000043] tsc: Detected 3791.998 MHz processor
[    0.000216] last_pfn = 0x7ffd4 max_arch_pfn = 0x400000000
[    0.000242] x86/PAT: PAT not supported by the CPU.
[    0.000249] x86/PAT: Configuration [0-7]: WB  WT  UC- UC  WB  WT  UC- UC  
[    0.005217] found SMP MP-table at [mem 0x000f5ab0-0x000f5abf]
[    0.005292] RAMDISK: [mem 0x7fc31000-0x7ffcffff]
[    0.005297] ACPI: Early table checksum verification disabled
[    0.005308] ACPI: RSDP 0x00000000000F58B0 000014 (v00 BOCHS )
[    0.005316] ACPI: RSDT 0x000000007FFE1C02 000030 (v01 BOCHS  BXPCRSDT 00000001 BXPC 00000001)
[    0.005321] ACPI: FACP 0x000000007FFE1AC6 000074 (v01 BOCHS  BXPCFACP 00000001 BXPC 00000001)
[    0.005330] ACPI: DSDT 0x000000007FFE0040 001A86 (v01 BOCHS  BXPCDSDT 00000001 BXPC 00000001)
[    0.005332] ACPI: FACS 0x000000007FFE0000 000040
[    0.005337] ACPI: APIC 0x000000007FFE1B3A 000090 (v01 BOCHS  BXPCAPIC 00000001 BXPC 00000001)
[    0.005339] ACPI: HPET 0x000000007FFE1BCA 000038 (v01 BOCHS  BXPCHPET 00000001 BXPC 00000001)
[    0.005342] ACPI: Reserving FACP table memory at [mem 0x7ffe1ac6-0x7ffe1b39]
[    0.005345] ACPI: Reserving DSDT table memory at [mem 0x7ffe0040-0x7ffe1ac5]
[    0.005346] ACPI: Reserving FACS table memory at [mem 0x7ffe0000-0x7ffe003f]
[    0.005347] ACPI: Reserving APIC table memory at [mem 0x7ffe1b3a-0x7ffe1bc9]
[    0.005347] ACPI: Reserving HPET table memory at [mem 0x7ffe1bca-0x7ffe1c01]
[    0.005383] cma: Reserved 296 MiB at 0x000000006d400000
[    0.005424] Zone ranges:
[    0.005428]   DMA32    [mem 0x0000000000001000-0x000000007ffd3fff]
[    0.005430]   Normal   empty
[    0.005432] Movable zone start for each node
[    0.005433] Early memory node ranges
[    0.005435]   node   0: [mem 0x0000000000001000-0x000000000009efff]
[    0.005438]   node   0: [mem 0x0000000000100000-0x000000007ffd3fff]
[    0.005441] Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffd3fff]
[    0.005451] On node 0, zone DMA32: 1 pages in unavailable ranges
[    0.016091] On node 0, zone DMA32: 97 pages in unavailable ranges
[    0.016095] On node 0, zone DMA32: 44 pages in unavailable ranges
[    0.016615] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[    0.016642] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[    0.016644] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[    0.016646] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[    0.016649] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[    0.016650] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[    0.016653] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[    0.016655] ACPI: Using ACPI (MADT) for SMP configuration information
[    0.016657] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[    0.016661] TSC deadline timer available
[    0.016662] smpboot: Allowing 4 CPUs, 0 hotplug CPUs
[    0.016678] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[    0.016679] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x0009ffff]
[    0.016682] PM: hibernation: Registered nosave memory: [mem 0x000a0000-0x000effff]
[    0.016683] PM: hibernation: Registered nosave memory: [mem 0x000f0000-0x000fffff]
[    0.016684] [mem 0x80000000-0xfeffbfff] available for PCI devices
[    0.016685] Booting paravirtualized kernel on KVM
[    0.016689] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns
[    0.016745] Load bootconfig: 1729 bytes 63 nodes
[    0.016748] setup_percpu: NR_CPUS:32 nr_cpumask_bits:32 nr_cpu_ids:4 nr_node_ids:1
[    0.017526] percpu: Embedded 55 pages/cpu s187264 r8192 d29824 u524288
[    0.017555] kvm-guest: stealtime: cpu 0, msr 6b21c340
[    0.017558] Built 1 zonelists, mobility grouping on.  Total pages: 515796
[    0.017559] Kernel command line: stack_depot_disable=on cgroup_disable=pressure no_timer_check 8250.nr_uarts=1 clocksource=pit console=ttyS0,38400 cma=296M@0-4G loop.max_part=7 ramoops.mem_address=0xff018000 ramoops.mem_size=0x10000 memmap=0x10000$0xff018000 printk.devkmsg=on bootconfig mac80211_hwsim.radios=0
[    0.017710] cgroup: Disabling pressure control group feature
[    0.018371] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[    0.018706] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[    0.018921] mem auto-init: stack:all(zero), heap alloc:on, heap free:off
[    0.022645] Memory: 1704356K/2096584K available (24595K kernel code, 2032K rwdata, 12856K rodata, 1368K init, 2328K bss, 88864K reserved, 303104K cma-reserved)
[    0.022797] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[    0.022810] Kernel/User page tables isolation: enabled
[    0.023005] rcu: Preemptible hierarchical RCU implementation.
[    0.023006] rcu:     RCU event tracing is enabled.
[    0.023006] rcu:     RCU dyntick-idle grace-period acceleration is enabled.
[    0.023007] rcu:     RCU restricting CPUs from NR_CPUS=32 to nr_cpu_ids=4.
[    0.023008] rcu:     RCU priority boosting: priority 1 delay 500 ms.
[    0.023009]  Trampoline variant of Tasks RCU enabled.
[    0.023009]  Tracing variant of Tasks RCU enabled.
[    0.023010] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.023011] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[    0.023830] NR_IRQS: 4352, nr_irqs: 456, preallocated irqs: 16
[    0.023973] rcu:     Offload RCU callbacks from CPUs: (none).
[    0.024004] kfence: initialized - using 524288 bytes for 63 objects at 0x(____ptrval____)-0x(____ptrval____)
[    0.074542] printk: console [ttyS0] enabled
[    0.074858] ACPI: Core revision 20210730
[    0.075282] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns
[    0.076010] APIC: Switch to symmetric I/O mode setup
[    0.076524] x2apic enabled
[    0.076876] Switched APIC routing to physical x2apic.
[    0.077924] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[    0.078365] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x6d51a1f9672, max_idle_ns: 881590864124 ns
[    0.079122] Calibrating delay loop (skipped) preset value.. 7583.99 BogoMIPS (lpj=15167992)
[    0.079763] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0
[    0.083121] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0
[    0.083570] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[    0.084209] Spectre V2 : Mitigation: Retpolines
[    0.084514] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    0.085029] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[    0.085441] Speculative Store Bypass: Vulnerable
[    0.085738] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[    0.086156] MMIO Stale Data: Unknown: No mitigations
[    0.086477] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[    0.087120] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[    0.087604] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[    0.088085] x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
[    0.088548] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
[    0.092315] Freeing SMP alternatives memory: 124K
[    0.092691] pid_max: default: 32768 minimum: 301
[    0.093074] LSM: Security Framework initializing
[    0.093429] SELinux:  Initializing.
[    0.093772] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.094323] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[    0.095366] smpboot: CPU0: Intel Android virtual processor (family: 0x6, model: 0x6, stepping: 0x3)
[    0.096251] Performance Events: generic architected perfmon, Intel PMU driver.
[    0.096819] ... version:                2
[    0.097111] ... bit width:              48
[    0.097404] ... generic registers:      4
[    0.097701] ... value mask:             0000ffffffffffff
[    0.098057] ... max period:             000000007fffffff
[    0.098438] ... fixed-purpose events:   3
[    0.098740] ... event mask:             000000070000000f
[    0.099119] signal: max sigframe size: 1776
[    0.099158] rcu: Hierarchical SRCU implementation.
[    0.100153] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.100847] smp: Bringing up secondary CPUs ...
[    0.101363] x86: Booting SMP configuration:
[    0.101703] .... node  #0, CPUs:      #1
[    0.055141] kvm-clock: cpu 1, msr 5afce041, secondary cpu clock
[    0.103168] kvm-guest: stealtime: cpu 1, msr 6b29c340
[    0.105585]  #2
[    0.055141] kvm-clock: cpu 2, msr 5afce081, secondary cpu clock
[    0.107153] kvm-guest: stealtime: cpu 2, msr 6b31c340
[    0.109553]  #3
[    0.055141] kvm-clock: cpu 3, msr 5afce0c1, secondary cpu clock
[    0.111134] kvm-guest: stealtime: cpu 3, msr 6b39c340
[    0.112177] smp: Brought up 1 node, 4 CPUs
[    0.112177] smpboot: Max logical packages: 1
[    0.112177] smpboot: Total of 4 processors activated (30335.98 BogoMIPS)
[    0.112502] x86/mm: Memory block size: 128MB
[    0.113029] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.115155] futex hash table entries: 1024 (order: 4, 65536 bytes, linear)
[    0.116984] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    0.117528] audit: initializing netlink subsys (disabled)
[    0.117946] audit: type=2000 audit(1712056881.566:1): state=initialized audit_enabled=0 res=1
[    0.117946] ramoops: using module parameters
[    0.119599] printk: console [ramoops-1] enabled
[    0.119962] pstore: Registered ramoops as persistent store backend
[    0.120441] ramoops: using 0x10000@0xff018000, ecc: 0
[    0.120926] thermal_sys: Registered thermal governor 'step_wise'
[    0.120927] thermal_sys: Registered thermal governor 'user_space'
[    0.121399] cpuidle: using governor menu
[    0.122302] ACPI: bus type PCI registered
[    0.122696] PCI: Using configuration type 1 for base access
[    0.124647] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible.
[    0.125305] cryptd: max_cpu_qlen set to 1000
[    0.125305] ACPI: Added _OSI(Module Device)
[    0.127124] ACPI: Added _OSI(Processor Device)
[    0.127127] ACPI: Added _OSI(3.0 _SCP Extensions)
[    0.128165] ACPI: Added _OSI(Processor Aggregator Device)
[    0.129371] ACPI: Added _OSI(Linux-Dell-Video)
[    0.130349] ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)
[    0.131128] ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)
[    0.133891] ACPI: 1 ACPI AML tables successfully acquired and loaded
[    0.135732] ACPI: Interpreter enabled
[    0.135732] ACPI: PM: (supports S0 S3 S4 S5)
[    0.139147] ACPI: Using IOAPIC for interrupt routing
[    0.139601] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[    0.140486] ACPI: Enabled 2 GPEs in block 00 to 0F
[    0.142869] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[    0.143128] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3]
[    0.143973] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended PCI configuration space under this bridge.
[    0.145297] PCI host bridge to bus 0000:00
[    0.145751] pci_bus 0000:00: root bus resource [io  0x0000-0x0cf7 window]
[    0.146520] pci_bus 0000:00: root bus resource [io  0x0d00-0xffff window]
[    0.147123] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[    0.147968] pci_bus 0000:00: root bus resource [mem 0x80000000-0xfebfffff window]
[    0.148821] pci_bus 0000:00: root bus resource [mem 0x400000000-0x80005ffff window]
[    0.149707] pci_bus 0000:00: root bus resource [bus 00-ff]
[    0.150448] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000
[    0.151580] pci 0000:00:01.0: [8086:7000] type 00 class 0x060100
[    0.152821] pci 0000:00:01.1: [8086:7010] type 00 class 0x010180
[    0.156799] pci 0000:00:01.1: reg 0x20: [io  0xc2a0-0xc2af]
[    0.158552] pci 0000:00:01.1: legacy IDE quirk: reg 0x10: [io  0x01f0-0x01f7]
[    0.159123] pci 0000:00:01.1: legacy IDE quirk: reg 0x14: [io  0x03f6]
[    0.159645] pci 0000:00:01.1: legacy IDE quirk: reg 0x18: [io  0x0170-0x0177]
[    0.160216] pci 0000:00:01.1: legacy IDE quirk: reg 0x1c: [io  0x0376]
[    0.160915] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000
[    0.161660] pci 0000:00:01.3: quirk: [io  0x0600-0x063f] claimed by PIIX4 ACPI
[    0.162235] pci 0000:00:01.3: quirk: [io  0x0700-0x070f] claimed by PIIX4 SMB
[    0.163017] pci 0000:00:02.0: [1af4:1019] type 00 class 0x040100
[    0.167731] pci 0000:00:02.0: reg 0x10: [io  0xc200-0xc21f]
[    0.173199] pci 0000:00:02.0: reg 0x20: [mem 0x800000000-0x800003fff 64bit pref]
[    0.175668] pci 0000:00:03.0: [1af4:1001] type 00 class 0x010000
[    0.179124] pci 0000:00:03.0: reg 0x10: [io  0xc000-0xc03f]
[    0.185402] pci 0000:00:03.0: reg 0x14: [mem 0xfebc0000-0xfebc0fff]
[    0.187123] pci 0000:00:03.0: reg 0x18: [io  0xc2b0-0xc2b3]
[    0.191124] pci 0000:00:03.0: reg 0x20: [mem 0x800004000-0x800007fff 64bit pref]
[    0.200085] pci 0000:00:04.0: [1af4:1001] type 00 class 0x010000
[    0.203125] pci 0000:00:04.0: reg 0x10: [io  0xc040-0xc07f]
[    0.210883] pci 0000:00:04.0: reg 0x14: [mem 0xfebc1000-0xfebc1fff]
[    0.214865] pci 0000:00:04.0: reg 0x18: [io  0xc2b4-0xc2b7]
[    0.224948] pci 0000:00:04.0: reg 0x20: [mem 0x800008000-0x80000bfff 64bit pref]
[    0.230478] pci 0000:00:05.0: [1af4:1001] type 00 class 0x010000
[    0.235125] pci 0000:00:05.0: reg 0x10: [io  0xc080-0xc0bf]
[    0.243129] pci 0000:00:05.0: reg 0x14: [mem 0xfebc2000-0xfebc2fff]
[    0.247127] pci 0000:00:05.0: reg 0x18: [io  0xc2b8-0xc2bb]
[    0.257094] pci 0000:00:05.0: reg 0x20: [mem 0x80000c000-0x80000ffff 64bit pref]
[    0.266456] pci 0000:00:06.0: [1af4:1001] type 00 class 0x010000
[    0.271129] pci 0000:00:06.0: reg 0x10: [io  0xc0c0-0xc0ff]
[    0.279129] pci 0000:00:06.0: reg 0x14: [mem 0xfebc3000-0xfebc3fff]
[    0.283126] pci 0000:00:06.0: reg 0x18: [io  0xc2bc-0xc2bf]
[    0.294100] pci 0000:00:06.0: reg 0x20: [mem 0x800010000-0x800013fff 64bit pref]
[    0.300186] pci 0000:00:07.0: [1af4:1001] type 00 class 0x010000
[    0.305494] pci 0000:00:07.0: reg 0x10: [io  0xc100-0xc13f]
[    0.311132] pci 0000:00:07.0: reg 0x14: [mem 0xfebc4000-0xfebc4fff]
[    0.317445] pci 0000:00:07.0: reg 0x18: [io  0xc2c0-0xc2c3]
[    0.329494] pci 0000:00:07.0: reg 0x20: [mem 0x800014000-0x800017fff 64bit pref]
[    0.334238] pci 0000:00:08.0: [1af4:1001] type 00 class 0x010000
[    0.339130] pci 0000:00:08.0: reg 0x10: [io  0xc140-0xc17f]
[    0.343131] pci 0000:00:08.0: reg 0x14: [mem 0xfebc5000-0xfebc5fff]
[    0.349307] pci 0000:00:08.0: reg 0x18: [io  0xc2c4-0xc2c7]
[    0.355129] pci 0000:00:08.0: reg 0x20: [mem 0x800018000-0x80001bfff 64bit pref]
[    0.362393] pci 0000:00:09.0: [1af4:1000] type 00 class 0x020000
[    0.364332] pci 0000:00:09.0: reg 0x10: [io  0xc220-0xc23f]
[    0.367126] pci 0000:00:09.0: reg 0x14: [mem 0xfebc6000-0xfebc6fff]
[    0.377697] pci 0000:00:09.0: reg 0x20: [mem 0x80001c000-0x80001ffff 64bit pref]
[    0.380233] pci 0000:00:09.0: reg 0x30: [mem 0xfeb80000-0xfebbffff pref]
[    0.381475] pci 0000:00:0a.0: [1af4:1003] type 00 class 0x078000
[    0.384089] pci 0000:00:0a.0: reg 0x10: [io  0xc180-0xc1bf]
[    0.389306] pci 0000:00:0a.0: reg 0x14: [mem 0xfebc7000-0xfebc7fff]
DEBUG   | VirtIO WiFi: unexpected full virtqueue
[    0.396354] pci 0000:00:0a.0: reg 0x20: [mem 0x800020000-0x800023fff 64bit pref]
[    0.401792] pci 0000:00:0b.0: [607d:f153] type 00 class 0x00ff00
[    0.403886] pci 0000:00:0b.0: reg 0x10: [mem 0xfebc8000-0xfebc8fff]
[    0.405963] pci 0000:00:0b.0: reg 0x14: [mem 0x400000000-0x7ffffffff 64bit]
[    0.414267] pci 0000:00:0c.0: [1af4:1003] type 00 class 0x078000
[    0.415960] pci 0000:00:0c.0: reg 0x10: [io  0xc1c0-0xc1ff]
[    0.418061] pci 0000:00:0c.0: reg 0x14: [mem 0xfebc9000-0xfebc9fff]
[    0.425723] pci 0000:00:0c.0: reg 0x20: [mem 0x800024000-0x800027fff 64bit pref]
[    0.428551] pci 0000:00:0d.0: [1af4:1005] type 00 class 0x00ff00
[    0.430362] pci 0000:00:0d.0: reg 0x10: [io  0xc240-0xc25f]
[    0.436809] pci 0000:00:0d.0: reg 0x20: [mem 0x800028000-0x80002bfff 64bit pref]
[    0.438937] pci 0000:00:0e.0: [1af4:1052] type 00 class 0x098000
[    0.441337] pci 0000:00:0e.0: reg 0x14: [mem 0xfebca000-0xfebcafff]
[    0.444741] pci 0000:00:0e.0: reg 0x20: [mem 0x80002c000-0x80002ffff 64bit pref]
[    0.448712] pci 0000:00:0f.0: [1af4:1052] type 00 class 0x098000
[    0.451123] pci 0000:00:0f.0: reg 0x14: [mem 0xfebcb000-0xfebcbfff]
[    0.454839] pci 0000:00:0f.0: reg 0x20: [mem 0x800030000-0x800033fff 64bit pref]
[    0.459567] pci 0000:00:10.0: [1af4:1052] type 00 class 0x098000
[    0.462336] pci 0000:00:10.0: reg 0x14: [mem 0xfebcc000-0xfebccfff]
[    0.465748] pci 0000:00:10.0: reg 0x20: [mem 0x800034000-0x800037fff 64bit pref]
[    0.467512] pci 0000:00:11.0: [1af4:1052] type 00 class 0x098000
[    0.472189] pci 0000:00:11.0: reg 0x14: [mem 0xfebcd000-0xfebcdfff]
[    0.475658] pci 0000:00:11.0: reg 0x20: [mem 0x800038000-0x80003bfff 64bit pref]
[    0.477715] pci 0000:00:12.0: [1af4:1052] type 00 class 0x098000
[    0.480193] pci 0000:00:12.0: reg 0x14: [mem 0xfebce000-0xfebcefff]
[    0.485968] pci 0000:00:12.0: reg 0x20: [mem 0x80003c000-0x80003ffff 64bit pref]
[    0.487526] pci 0000:00:13.0: [1af4:1052] type 00 class 0x098000
[    0.490145] pci 0000:00:13.0: reg 0x14: [mem 0xfebcf000-0xfebcffff]
[    0.496283] pci 0000:00:13.0: reg 0x20: [mem 0x800040000-0x800043fff 64bit pref]
[    0.498316] pci 0000:00:14.0: [1af4:1052] type 00 class 0x098000
[    0.500737] pci 0000:00:14.0: reg 0x14: [mem 0xfebd0000-0xfebd0fff]
[    0.504215] pci 0000:00:14.0: reg 0x20: [mem 0x800044000-0x800047fff 64bit pref]
[    0.508139] pci 0000:00:15.0: [1af4:1052] type 00 class 0x098000
[    0.510774] pci 0000:00:15.0: reg 0x14: [mem 0xfebd1000-0xfebd1fff]
[    0.514350] pci 0000:00:15.0: reg 0x20: [mem 0x800048000-0x80004bfff 64bit pref]
[    0.516053] pci 0000:00:16.0: [1af4:1052] type 00 class 0x098000
[    0.520801] pci 0000:00:16.0: reg 0x14: [mem 0xfebd2000-0xfebd2fff]
[    0.524198] pci 0000:00:16.0: reg 0x20: [mem 0x80004c000-0x80004ffff 64bit pref]
[    0.526244] pci 0000:00:17.0: [1af4:1052] type 00 class 0x098000
[    0.528716] pci 0000:00:17.0: reg 0x14: [mem 0xfebd3000-0xfebd3fff]
[    0.534353] pci 0000:00:17.0: reg 0x20: [mem 0x800050000-0x800053fff 64bit pref]
[    0.536114] pci 0000:00:18.0: [1af4:1052] type 00 class 0x098000
[    0.538692] pci 0000:00:18.0: reg 0x14: [mem 0xfebd4000-0xfebd4fff]
[    0.544786] pci 0000:00:18.0: reg 0x20: [mem 0x800054000-0x800057fff 64bit pref]
[    0.546805] pci 0000:00:19.0: [1af4:1052] type 00 class 0x090000
[    0.549610] pci 0000:00:19.0: reg 0x14: [mem 0xfebd5000-0xfebd5fff]
[    0.552743] pci 0000:00:19.0: reg 0x20: [mem 0x800058000-0x80005bfff 64bit pref]
[    0.556635] pci 0000:00:1a.0: [1af4:100a] type 00 class 0x020000
[    0.558193] pci 0000:00:1a.0: reg 0x10: [io  0xc260-0xc27f]
[    0.559644] pci 0000:00:1a.0: reg 0x14: [mem 0xfebd6000-0xfebd6fff]
[    0.567978] pci 0000:00:1b.0: [1af4:1012] type 00 class 0x078000
[    0.570059] pci 0000:00:1b.0: reg 0x10: [io  0xc280-0xc29f]
[    0.571897] pci 0000:00:1b.0: reg 0x14: [mem 0xfebd7000-0xfebd7fff]
[    0.576720] pci 0000:00:1b.0: reg 0x20: [mem 0x80005c000-0x80005ffff 64bit pref]
[    0.581359] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[    0.581846] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[    0.582293] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[    0.582743] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[    0.583146] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[    0.583910] vgaarb: loaded
[    0.584206] SCSI subsystem initialized
[    0.584472] ACPI: bus type USB registered
[    0.584756] usbcore: registered new interface driver usbfs
[    0.585116] usbcore: registered new interface driver hub
[    0.585464] usbcore: registered new device driver usb
[    0.585821] mc: Linux media interface: v0.10
[    0.586122] videodev: Linux video capture interface: v2.00
[    0.586508] pps_core: LinuxPPS API ver. 1 registered
[    0.586850] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.587125] PTP clock support registered
[    0.587399] EDAC MC: Ver: 3.0.0
[    0.587896] Advanced Linux Sound Architecture Driver Initialized.
[    0.588675] Bluetooth: Core ver 2.22
[    0.588939] NET: Registered PF_BLUETOOTH protocol family
[    0.589309] Bluetooth: HCI device and connection manager initialized
[    0.589750] Bluetooth: HCI socket layer initialized
[    0.591123] Bluetooth: L2CAP socket layer initialized
[    0.591475] Bluetooth: SCO socket layer initialized
[    0.591859] nfc: nfc_init: NFC Core ver 0.1
[    0.592157] NET: Registered PF_NFC protocol family
[    0.592490] PCI: Using ACPI for IRQ routing
[    0.593004] hpet: 3 channels of 0 reserved for per-cpu timers
[    0.593004] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[    0.593004] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[    0.598266] clocksource: Switched to clocksource kvm-clock
[    0.605368] VFS: Disk quotas dquot_6.6.0
[    0.605669] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes)
[    0.606368] pnp: PnP ACPI init
[    0.606988] pnp: PnP ACPI: found 5 devices
[    0.607425] NET: Registered PF_INET protocol family
[    0.607910] IP idents hash table entries: 32768 (order: 6, 262144 bytes, linear)
[    0.608702] tcp_listen_portaddr_hash hash table entries: 1024 (order: 2, 16384 bytes, linear)
[    0.609411] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[    0.610007] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[    0.610662] TCP bind hash table entries: 16384 (order: 6, 262144 bytes, linear)
[    0.611189] TCP: Hash tables configured (established 16384 bind 16384)
[    0.611733] UDP hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.612218] UDP-Lite hash table entries: 1024 (order: 3, 32768 bytes, linear)
[    0.612742] NET: Registered PF_UNIX/PF_LOCAL protocol family
[    0.613140] NET: Registered PF_XDP protocol family
[    0.613484] pci_bus 0000:00: resource 4 [io  0x0000-0x0cf7 window]
[    0.613917] pci_bus 0000:00: resource 5 [io  0x0d00-0xffff window]
[    0.614343] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[    0.614815] pci_bus 0000:00: resource 7 [mem 0x80000000-0xfebfffff window]
[    0.615297] pci_bus 0000:00: resource 8 [mem 0x400000000-0x80005ffff window]
[    0.615865] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[    0.616268] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[    0.616683] pci 0000:00:01.0: Activating ISA DMA hang workarounds
[    0.617225] PCI: CLS 0 bytes, default 64
[    0.617529] kvm: no hardware support
[    0.617785] has_svm: not amd or hygon
[    0.617812] Trying to unpack rootfs image as initramfs...
[    0.618037] kvm: no hardware support
[    0.618040] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x6d51a1f9672, max_idle_ns: 881590864124 ns
[    0.619776] Initialise system trusted keyrings
[    0.620309] workingset: timestamp_bits=46 max_order=19 bucket_order=0
[    0.627282] fuse: init (API version 7.36)
[    0.633083] Freeing initrd memory: 3708K
[    0.647921] Key type asymmetric registered
[    0.648371] Asymmetric key parser 'x509' registered
[    0.648972] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 238)
[    0.649765] io scheduler mq-deadline registered
[    0.650233] io scheduler kyber registered
[    0.650696] io scheduler bfq registered
[    0.652213] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[    0.655365] ACPI: button: Power Button [PWRF]
[    0.656823] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.658455] 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[    0.665046] brd: module loaded
[    0.670374] loop: module loaded
[    0.671864] wireguard: WireGuard 1.0.0 loaded. See www.wireguard.com for information.
[    0.673330] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
[    0.675311] MACsec IEEE 802.1AE
[    0.676186] tun: Universal TUN/TAP device driver, 1.6
[    0.677110] CAN device driver interface
[    0.677680] PPP generic driver version 2.4.2
[    0.678218] PPP BSD Compression module registered
[    0.678781] PPP Deflate Compression module registered
[    0.679406] PPP MPPE Compression module registered
[    0.679979] NET: Registered PF_PPPOX protocol family
[    0.680590] PPTP driver version 0.8.5
[    0.681412] usbcore: registered new interface driver rtl8150
[    0.682104] usbcore: registered new device driver r8152-cfgselector
[    0.682858] usbcore: registered new interface driver r8152
[    0.683526] usbcore: registered new interface driver asix
[    0.684205] usbcore: registered new interface driver ax88179_178a
[    0.684937] usbcore: registered new interface driver cdc_ether
[    0.685642] usbcore: registered new interface driver cdc_eem
[    0.686330] usbcore: registered new interface driver cdc_ncm
[    0.687011] usbcore: registered new interface driver aqc111
[    0.687694] usbcore: registered new interface driver r8153_ecm
[    0.688431] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    0.688966] ehci-pci: EHCI PCI platform driver
[    0.689343] ehci-platform: EHCI generic platform driver
[    0.689809] usbcore: registered new interface driver cdc_acm
[    0.690277] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[    0.691329] usbcore: registered new interface driver uas
[    0.691807] usbcore: registered new interface driver usb-storage
[    0.692389] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12
[    0.693539] serio: i8042 KBD port at 0x60,0x64 irq 1
[    0.693997] serio: i8042 AUX port at 0x60,0x64 irq 12
[    0.694511] usbcore: registered new interface driver xpad
[    0.695027] rtc_cmos 00:00: RTC can wake from S4
[    0.695725] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
[    0.696759] rtc_cmos 00:00: registered as rtc0
[    0.697173] rtc_cmos 00:00: alarms up to one day, y3k, 114 bytes nvram, hpet irqs
[    0.697817] usbcore: registered new interface driver uvcvideo
[    0.698295] gspca_main: v2.14.0 registered
[    0.698663] device-mapper: uevent: version 1.0.3
[    0.699176] device-mapper: ioctl: 4.45.0-ioctl (2021-03-22) initialised: dm-devel@redhat.com
[    0.700031] Bluetooth: HCI UART driver ver 2.3
[    0.700342] Bluetooth: HCI UART protocol H4 registered
[    0.700705] Bluetooth: HCI UART protocol LL registered
[    0.701083] Bluetooth: HCI UART protocol Broadcom registered
[    0.701490] Bluetooth: HCI UART protocol QCA registered
[    0.701877] intel_pstate: CPU model not supported
[    0.702210] sdhci: Secure Digital Host Controller Interface driver
[    0.702634] sdhci: Copyright(c) Pierre Ossman
[    0.702946] sdhci-pltfm: SDHCI platform and OF driver helper
[    0.703387] hid: raw HID events driver (C) Jiri Kosina
[    0.703917] usbcore: registered new interface driver usbhid
[    0.704312] usbhid: USB HID core driver
[    0.704631] ashmem: initialized
[    0.704885] gnss: GNSS driver registered with major 509
[    0.705276] usbcore: registered new interface driver snd-usb-audio
[    0.705801] GACT probability NOT on
[    0.706051] Mirror/redirect action on
[    0.706310] netem: version 1.3
[    0.706542] u32 classifier
[    0.706737]     input device check on
[    0.706997]     Actions configured
[    0.708150] xt_time: kernel timezone is -0000
[    0.708498] ipip: IPv4 and MPLS over IPv4 tunneling driver
[    0.708968] gre: GRE over IPv4 demultiplexor driver
[    0.709298] ip_gre: GRE over IPv4 tunneling driver
[    0.709811] IPv4 over IPsec tunneling driver
[    0.710206] Initializing XFRM netlink socket
[    0.710503] IPsec XFRM device driver
[    0.710835] NET: Registered PF_INET6 protocol family
[    0.711984] Segment Routing with IPv6
[    0.712250] In-situ OAM (IOAM) with IPv6
[    0.712590] mip6: Mobile IPv6
[    0.713010] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[    0.713533] ip6_gre: GRE over IPv6 tunneling driver
[    0.714016] NET: Registered PF_PACKET protocol family
[    0.714366] NET: Registered PF_KEY protocol family
[    0.714708] can: controller area network core
[    0.715049] NET: Registered PF_CAN protocol family
[    0.715393] can: raw protocol
[    0.715608] can: broadcast manager protocol
[    0.715896] can: netlink gateway - max_hops=1
[    0.716447] Bluetooth: RFCOMM TTY layer initialized
[    0.716786] Bluetooth: RFCOMM socket layer initialized
[    0.717143] Bluetooth: RFCOMM ver 1.11
[    0.717411] Bluetooth: HIDP (Human Interface Emulation) ver 1.2
[    0.717836] Bluetooth: HIDP socket layer initialized
[    0.718177] l2tp_core: L2TP core driver, V2.0
[    0.718492] l2tp_ppp: PPPoL2TP kernel driver, V2.0
[    0.718825] 8021q: 802.1Q VLAN Support v1.8
[    0.719129] tipc: Activated (version 2.0.0)
[    0.719456] NET: Registered PF_TIPC protocol family
[    0.719844] tipc: Started in single node mode
[    0.720181] NET: Registered PF_IEEE802154 protocol family
[    0.720589] NET: Registered PF_VSOCK protocol family
[    0.720961] IPI shorthand broadcast: enabled
[    0.721259] AVX version of gcm_enc/dec engaged.
[    0.721701] AES CTR mode by8 optimization enabled
[    0.722073] sched_clock: Marking stable (668279144, 51141514)->(890416215, -170995557)
[    0.722802] registered taskstats version 1
[    0.723094] Loading compiled-in X.509 certificates
[    0.723650] cryptomgr_probe (76) used greatest stack depth: 15632 bytes left
[    0.723961] Loaded X.509 cert 'Build time autogenerated kernel key: 3eb2f550554d686227ddaffc8fb0fcd3533dd72f'
[    0.726171] page_owner is disabled
[    0.726443] Key type .fscrypt registered
[    0.726720] Key type fscrypt-provisioning registered
[    0.727387] pstore: Using crash dump compression: deflate
[    0.728139] ALSA device list:
[    0.728359]   No soundcards found.
[    0.729258] Freeing unused kernel image (initmem) memory: 1368K
[    0.747361] Write protecting the kernel read-only data: 40960k
[    0.750214] Freeing unused kernel image (text/rodata gap) memory: 2028K
[    0.753811] Freeing unused kernel image (rodata/data gap) memory: 1480K
[    0.755407] Run /init as init process
[    0.782927] init: init first stage started!
[    0.783722] init: Loading module /lib/modules/btintel.ko with args ''
[    0.784341] btintel: disagrees about version of symbol module_layout
[    0.784845] init: Failed to insmod '/lib/modules/btintel.ko' with args '': Exec format error
[    0.785498] init: LoadWithAliases was unable to load btintel
[    0.786007] init: Copied ramdisk prop to /second_stage_resources/system/etc/ramdisk/build.prop
[    0.786741] init: [libfs_mgr]ReadFstabFromDt(): failed to read fstab from dt
[    0.787547] init: Using Android DT directory /proc/device-tree/firmware/android/
[    0.801413] init: bool android::init::BlockDevInitializer::InitDevices(std::set<std::string>): partition(s) not found in /sys, waiting for their uevent(s): metadata, super, vbmeta
yassine955 commented 3 months ago

So I came across an article, and they said that if you change the kernel with a slightly different version, then the emulator, it wont boot because the ramdisk needs to be changed aswell.

Abyss-W4tcher commented 3 months ago

Would you be able to start a new clean avd to try out your kernel ? This would confirm the ramdisk issue.

yassine955 commented 3 months ago

I made a new AVD, started with the new kernel and got the same thing:

[    0.893138] Write protecting the kernel read-only data: 40960k
[    0.897591] Freeing unused kernel image (text/rodata gap) memory: 2028K
[    0.901450] Freeing unused kernel image (rodata/data gap) memory: 1480K
[    0.903006] Run /init as init process
[    0.931508] init: init first stage started!
[    0.932440] init: Loading module /lib/modules/btintel.ko with args ''
[    0.933107] btintel: disagrees about version of symbol module_layout
[    0.933570] init: Failed to insmod '/lib/modules/btintel.ko' with args '': Exec format error
[    0.934185] init: LoadWithAliases was unable to load btintel
[    0.934655] init: Copied ramdisk prop to /second_stage_resources/system/etc/ramdisk/build.prop
[    0.935316] init: [libfs_mgr]ReadFstabFromDt(): failed to read fstab from dt
[    0.936076] init: Using Android DT directory /proc/device-tree/firmware/android/
[    0.949877] init: bool android::init::BlockDevInitializer::InitDevices(std::set<std::string>): partition(s) not found in /sys, waiting for their uevent(s): metadata, super, vbmeta
INFO    | Activated packet streamer for bluetooth emulation
DEBUG   | VirtIO WiFi: unexpected full virtqueue
yassine955 commented 3 months ago

I have a boot.img, system_dlkm.img, initramfs.img

I think I have to do something with these files. I think that android is giving us these files, in order for us to change the files in the system-images

yassine955 commented 3 months ago

Checkout this article, Google Translate it: https://5ec1cff.github.io/my-blog/2024/01/16/avd-ksu/

yassine955 commented 3 months ago

For those wondering what the article is discussing:

The kernel built above is incompatible with the modules in the original AVD image. In theory, GKI ensures the stability of module interfaces, although our KMI Generation differs. In any case, corresponding modules need to be built.

Abyss-W4tcher commented 3 months ago

Don't CLANG_TRIPLE arg be something like x86_64-linux-androidkernel- ? Check out the directory from where you fetch x86_64-linux-gnu- and see if you don't have something closer ?

If you are using this, I am not familiar with bazel though.

Abyss-W4tcher commented 3 months ago

Checkout this article, Google Translate it: https://5ec1cff.github.io/my-blog/2024/01/16/avd-ksu/

Arf, if you also need to push your modules manually inside the AVD filesystem, then their documentation is really outdated...

yassine955 commented 3 months ago

I truly believe that my last option, without all this nonsense is to check the proc/version.

And then compile that exact version.

Abyss-W4tcher commented 3 months ago

Making a proper RAM dump command for AVD would ease the life of everyone (https://stackoverflow.com/questions/78102274/how-to-create-a-memory-dump-of-an-android-emulator), at least on emulated phones.

If you have the exact source that was used to compile the current kernel, then it will have better compatibility chances. However, be aware that two kernel builds, even with the same source, won't give the exact same result... You can still give it a shot if you want.

There is obviously something else going on, as I never had any problem when using custom kernels compiled with gcc on older Android versions (without updating modules, ramdisk etc.).

yassine955 commented 3 months ago

@Abyss-W4tcher Can you tell me how you did it, step by step on the older android devices. I need the exact device, android version, so that I can create a dump. At this point I don't really need android 13 or 12

Abyss-W4tcher commented 3 months ago

This isn't your exact situation, but adapting it to x86_64 should work :

https://gist.github.com/Abyss-W4tcher/f1833623c975193446315d48c106750e#compile-custom-android-kernel

Compiling with GCC was only available for 3.18-ish kernels, which is now quite outdated. I got the same errors as you with the clang part ... but still left the documentation for further work.

yassine955 commented 3 months ago

It took me long days and stress, but I figured it out. I get results back from the ram dump, and everything works great.

Steps:

  1. Create a kernel, disable CONFIG_SECURITY_LOCKDOWN_LSM
  2. Load the device with this kernel, and check proc/version if new kernel is set
  3. Create a memory dump with AVML
  4. Create a profile in dwarf2json with vmlinux file and System.map
  5. Check if the banners of the memory dump is corresponding with the Profile banner.
  6. Read your dump
~/Desktop/volatility3$ python3 vol.py -f ../avml/avml_dump.lime linux.pstree
Volatility 3 Framework 2.7.0
Progress:  100.00       Stacking attempts finished                 
OFFSET (V)  PID TID PPID    COMM

0x8d5dead02c40  1   1   0   init
* 0x8d5de625c9c0    149 149 1   init
* 0x8d5de5785880    151 151 1   ueventd
* 0x8d5deafb8ec0    176 176 1   logd
* 0x8d5deafb9d80    177 177 1   lmkd
* 0x8d5deafb8000    178 178 1   servicemanager
* 0x8d5dea6d1d80    179 179 1   hwservicemanage
* 0x8d5deafbac40    186 186 1   qemu-props
* 0x8d5de3d46740    187 187 1   Binder:187_2
* 0x8d5de3d45880    195 195 1   keymaster@4.1-s
* 0x8d5deaf72c40    212 212 1   suspend@1.0-ser
* 0x8d5deaf76740    213 213 1   atrace@1.0-serv
* 0x8d5deaf69d80    282 282 1   magiskd
* 0x8d5de1f10ec0    289 289 1   createns
* 0x8d5deaf6ac40    294 294 1   tombstoned
* 0x8d5de0840ec0    299 299 1   Binder:299_2
* 0x8d5de1f10000    300 300 1   Binder:300_4
** 0x8d5de05149c0   324 324 300 iptables-restor
** 0x8d5de0515880   325 325 300 ip6tables-resto
* 0x8d5de1f12c40    301 301 1   main
** 0x8d5dd37a1d80   531 531 301 Binder:531_3
** 0x8d5db9cf0000   671 671 301 droid.bluetooth
** 0x8d5db9e949c0   689 689 301 ndroid.systemui
** 0x8d5db9efbb00   869 869 301 rkstack.process
** 0x8d5db731e740   903 903 301 com.android.se
** 0x8d5db71c5880   936 936 301 m.android.phone
** 0x8d5db70e0000   961 961 301 id.ext.services
** 0x8d5daf4c8ec0   1061    1061    301 s.nexuslauncher
** 0x8d5daf4c3b00   1187    1187    301 .gms.persistent
** 0x8d5db3d58000   1345    1345    301 .apps.wellbeing
** 0x8d5db73449c0   1425    1425    301 rs.media.module
** 0x8d5dbd331d80   1482    1482    301 hbox:interactor
** 0x8d5da42c1d80   1518    1518    301 .ims.rcsservice
** 0x8d5da60a8000   1542    1542    301 or.multidisplay
** 0x8d5d9e943b00   1594    1594    301 ocess.gservices
** 0x8d5d9ca38000   1640    1640    301 earchbox:search
** 0x8d5d9ca2c9c0   1751    1751    301 gle.android.gms
** 0x8d5d933b3b00   1874    1874    301 android.vending
** 0x8d5d84620000   2314    2314    301 id.gms.unstable
** 0x8d5d82581d80   2489    2489    301 ding:background
** 0x8d5d83e16740   3745    3745    301 putmethod.latin
** 0x8d5da32b0000   4091    4091    301 oid.setupwizard
** 0x8d5daf50ac40   4218    4218    301 android.youtube
** 0x8d5d9c96bb00   4433    4433    301 .android.dialer
** 0x8d5d851bd880   4726    4726    301 oadcastreceiver
** 0x8d5d9b2b0ec0   4751    4751    301 ssioncontroller
** 0x8d5db2fb1d80   4796    4796    301 d.configupdater
** 0x8d5d85ca2c40   4881    4881    301 opjohnwu.magisk
** 0x8d5db0dec9c0   5078    5078    301 s.youtube.music
** 0x8d5d89419d80   5225    5225    301 d.process.acore
* 0x8d5de1f149c0    302 302 1   main
** 0x8d5db7345880   835 835 302 webview_zygote
** 0x8d5d85dd2c40   2641    2641    302 .apps.messaging
** 0x8d5d98762c40   2867    2867    302 gle.android.ims
** 0x8d5db2ff9d80   3217    3217    302 oid.apps.photos
** 0x8d5d93195880   4676    4676    302 .android.chrome
* 0x8d5de3d42c40    306 306 1   allocator@1.0-s
* 0x8d5de3ec6740    307 307 1   audio.service.r
* 0x8d5de3ec2c40    308 308 1   authsecret@1.0-
* 0x8d5deaf25880    309 309 1   bluetooth@1.1-s
* 0x8d5deaf22c40    310 310 1   provider@2.4-se
* 0x8d5deaf26740    311 311 1   provider@2.6-se
* 0x8d5deaf21d80    312 312 1   cas@1.2-service
* 0x8d5deaf20ec0    313 313 1   contexthub@1.1-
* 0x8d5de08449c0    314 314 1   drm@1.0-service
* 0x8d5deaf249c0    315 315 1   drm@1.3-service
* 0x8d5de3ec49c0    316 316 1   drm@1.3-service
* 0x8d5de0c9bb00    317 317 1   gatekeeper@1.0-
* 0x8d5de0c9e740    318 318 1   allocator@3.0-s
* 0x8d5de0c9ac40    319 319 1   composer@2.3-se
* 0x8d5de0c9c9c0    320 320 1   health@2.1-serv
* 0x8d5de0c9d880    321 321 1   neuralnetworks@
* 0x8d5de0c98ec0    322 322 1   neuralnetworks@
* 0x8d5de0c99d80    323 323 1   neuralnetworks@
* 0x8d5de0c98000    327 327 1   neuralnetworks@
* 0x8d5de0652c40    328 328 1   neuralnetworks@
* 0x8d5de06549c0    329 329 1   stats@1.0-servi
* 0x8d5de0655880    330 330 1   sensors@2.1-ser
* 0x8d5de0650ec0    331 331 1   thermal@2.0-ser
* 0x8d5de0651d80    332 332 1   usb@1.0-service
* 0x8d5de0650000    333 333 1   wifi@1.0-servic
* 0x8d5de0653b00    334 334 1   android.hardwar
* 0x8d5de0656740    336 336 1   android.hardwar
* 0x8d5ddd05e740    338 338 1   android.hardwar
* 0x8d5ddd05ac40    340 340 1   android.hardwar
* 0x8d5ddd058ec0    348 348 1   android.hardwar
* 0x8d5ddd311d80    369 369 1   audioserver
* 0x8d5ddd310000    374 374 1   credstore
* 0x8d5ddd313b00    376 376 1   Binder:376_2
* 0x8d5ddd316740    379 379 1   surfaceflinger
Panchajanya1999 commented 2 weeks ago

Pixel 7 and 6 was totally fine here. I just had to disable pKVM on 7