Error on a lime dump performed on a Android emulator using the goldfish 3.4 kernel

[S1ddh1]

Describe the bug I'm trying to analyze a dump from an android emulator. I followed the steps described here : https://github.com/volatilityfoundation/volatility/wiki/Android

I don't get any good result with volatility2.6 so i give a shot with volatility3. It didn't work either. The following errors are produced

Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols

Context Volatility Version: volatility3 Framework 1.0.0-beta.1 Operating System: Ubuntu 20 Python Version: 3.8.2 Suspected Operating System: Android goldfish 3.4 armv7 The dump is in Lime format (https://github.com/504ensicsLabs/LiME) Command: python3 vol.py -f ~/ram.dd linux.pslist.PsList

To Reproduce The files and the dump that I used can be downloaded here : https://www.dropbox.com/s/7edntg68eo2eoxp/goldfish_dump_and_files.zip?dl=0

It's a zip file containing :

• ram.dd : got from lime executed in the Android emulator and a VM using goldfish 3.4
• System.map : got from goldfish 3.4 after compilation
• goldfish-3.4-systemmap.json : got from dwarf2json on System.map
• module.dwarf : got from volatily2.6 module.c

The following command was used on the dump.

$python3 vol.py -f ~/ram.dd linux.pslist.PsList
Volatility 3 Framework 1.0.0-beta.1
Progress:   99.20       Scanning LimeLayer using MultiStringScanner
Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
Unsatisfied requirement plugins.PsList.vmlinux: Linux kernel symbols

A symbol table requirement was not fulfilled.  Please verify that:
    You have the correct symbol file for the requirement
    The symbol file is under the correct directory or zip file
    The symbol file is named appropriately or contains the correct banner

A translation layer requirement was not fulfilled.  Please verify that:
    A file was provided to create this layer (by -f, --single-location or by config)
    The file exists and is readable
    The necessary symbols are present and identified by volatility
Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.vmlinux']

I produced the json symbol file with dwarf2json on the system.map file from goldfish.

$./dwarf2json linux --system-map System.map > goldfish-3.4-systemmap.json
$head goldfish-3.4-systemmap.json 
{
  "metadata": {
    "linux": {
      "symbols": [
        {
          "kind": "system-map",
          "name": "System.map",
          "hash_type": "sha256",
          "hash_value": "65dd7d83cd862205546252758a3baba498e7cef795b8ec7df83c2efb59e09338"
        }
$ tail goldfish-3.4-systemmap.json 
    },
    "zonelists_mutex": {
      "type": {
        "kind": "base",
        "name": "void"
      },
      "address": 3226222952
    }
  }

I've got an error if i try to use dwarf2json on the module.dwarf file

$./dwarf2json linux --elf module.dwarf 
Failed linux processing: could not open module.dwarf: bad magic number '[10 46 100 101]' in record at byte 0x0

This file was compiled using the module.c code in volatility2.6 (tools/linux) and the following makefile

obj-m += module.o
KDIR := /home/me/Documents/Android/androidKernel/goldfish
CCPATH := /home/me/Documents/Android/androidKernel/ndk_r12b/android-ndk-r12b/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin
DWARFDUMP := dwarfdump

-include version.mk

all: dwarf

dwarf: module.c
    $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules
    $(DWARFDUMP) -di module.ko > module.dwarf 

clean:
    rm -f module.dwarf

The symbols directory contains the following zip files :

$ ls volatility/symbols/
book.zip  Goldfish-3.4.zip  __init__.py  linux.zip  __pycache__

book.zip comes from www.memoryanalysis.net, see below :

Expected behavior I downloaded samples from here https://www.memoryanalysis.net/amf. There is a linux ARM64 dump there and it works

$ python3 vol.py -f ../volatility_test/linux/linux-sample-1.bin linux.pslist.PsList
Volatility 3 Framework 1.0.0-beta.1
Progress:    3.13       Scanning FileLayer using RegExScanner      
PID PPID    COMM

1   0   init
2   0   kthreadd
3   2   ksoftirqd/0
5   2   kworker/u:0
6   2   migration/0

Any clue ? Thanks

[ikelos]

Hi there, volatility3 doesn't yet support the ARM architecture (see #161) so it's not yet expected behaviour. 5;)

As to the issues with constructing the JSON file I suspect that dwarf2json is expecting an ELF file, rather than a DWARF one. I think you can wrap DWARF in the appropriate ELF format, but you might try handing in the .ko or .o file instead?

But yeah, at the moment, ARM and ARM64 support will need some development time since there's nothing in place yet. Happy to let @ilch1 try to help with the dwarf2json if he can?

[github-actions[bot]]

This issue is stale because it has been open for 200 days with no activity.

[github-actions[bot]]

This issue was closed because it has been inactive for 60 days since being marked as stale.