Re: [Vol-users] Creating profile for android

22 Feb 2013


      Hi Pasquale,
Can you run this command:
# vol.py --info | grep Profile
The profile may not actually be named HTCOneX exactly. For example I have
a Ubuntu1204.zip but the profile name is a little different:
$ python vol.py --info | grep Profile
Volatile Systems Volatility Framework 2.3_alpha
....
LinuxUbuntu1204x64   - A Profile for Linux Ubuntu1204 x64
.....
So I would need to use --profile=LinuxUbuntu1204x64
On Wed, Feb 20, 2013 at 11:55 AM, Pasquale Stirparo &lt;pstirparo(a)gmail.com&gt;wrote:
...
  Sorry guys... somehow I manage to push the keyboard
shortcut and send the
 email before finishing. I'm sending it again compleet now.
 Hi Andrew,
 A summary hopefully useful also for others (especially mac users)
 1) Thanks for the link related to dwarfdump, it worked indeed. It requires
 some dependancies, particularly for Mac OS X users libelf and elf.h (you
 can find it attached). This are the steps I followed:
 - install libelf (you can download it from here
 http://freecode.com/projects/libelf)
 - copy the file elf.h (attached) to /usr/include
 - compile dwarfdump (http://reality.sgiweb.org/davea/dwarf.html)
 - There is no make install, the make will compile the different tools. The
 developer suggest to use the new version .../dwarfdump2/dwarfdump. I'm also
 attaching the makefile sample updated to this.
 2) Thanks. As I wrote in my previous email, I had find out that if
 exporting from the phone, on android you could find it under /proc/kallsyms
 :)
 So, dwarfdump created a valid module.dwarf file and I did zip both it and
 kallsyms in HTCOneX.zip, and placed it inside the overlays/linux folder as
 follow (I've been trying using both volatility versions, the latest you can
 get from git and the 2.3_alpha from DFWRS):
 hydra:linux paco$ zip
 /Users/paco/Documents/Projects/HTCOneX-vol-profile.zip module.dwarf
 /Users/paco/Documents/Tools/HTC-OneX/endeavoru-2.6.39-6b459dc/kallsyms
   adding: module.dwarf (deflated 90%)
   adding:
 Users/paco/Documents/Tools/HTC-OneX/endeavoru-2.6.39-6b459dc/kallsyms (deflated
 75%)
 hydra:linux paco$ cp
 /Users/paco/Documents/Projects/HTCOneX-vol-profile.zip
 /Users/paco/Documents/Projects/sample-Rodeo2012/Volatility\
 2.3-devel/volatility/plugins/overlays/linux/HTCOneX.zip
 hydra:linux paco$ cp
 /Users/paco/Documents/Projects/HTCOneX-vol-profile.zip
/Users/paco/Documents/Tools/volatility/volatility-read-only/volatility/plugins/overlays/linux/HTCOneX.zip
 But when I run it I get still the error:
 # python vol.py --profile=HTCOneX -f
 /Users/paco/Documents/Projects/memdump/20130213-2-htconex.lime linux_pslist
 ...
 ERROR   : volatility.addrspace: Invalid profile HTCOneX selected
 So chatting on the IRC channel with udgover, he suggested to have a look
 at volatility/plugins/overlays/linux.py file. In this file there
 is LinuxProfileFactory where it checks for "system.map" file. So I've tried
 to add the same routine for kallsyms. But it didn't work. I even tried to
 rename kallsyms to System.map and then zip it with module.dwarf. Still the
 same error.
 I'll keep trying, if you have any clue in the meantime of the reason of
 the above error... here I am :)
 Thanks guys
 P.
 On Wed, Feb 20, 2013 at 3:42 AM, Andrew Case &lt;atcuno(a)gmail.com&gt; wrote:
  Hello,
 Sorry for taking so long to respond...
 There are a couple issues:
 1) You need to use dwarfump from
 http://reality.sgiweb.org/davea/dwarf.html , not the os x supplied
 dwarfdump for Linux support.
 2) You can get System.map values from a few places. First, check if
 the source distributed for your kernel has it. Second, see if the
 phone exports /proc/kallsyms. If neither of those work then we will
 have to find another solution.
 Thanks,
 Andrew
 On Sat, Feb 16, 2013 at 7:46 AM, Pasquale Stirparo &lt;pstirparo(a)gmail.com&gt;
 wrote:
  Thanks again Andrew for the assistance and for
the Makefile. So here a  brief
  summary for creating the Android profile,
following the  linux example  here

(https://code.google.com/p/volatility/wiki/LinuxMemoryForensics)
 DISCLAIMER: I'm using a Mac OS X system.
 - I modified the Makefile sent by Andrew, placed under
 volatility/tools/linux/Makefile, adding the options for cross-compiling  as
  from the LiME kernel module. Basically the
modifications are the  following:

 CCPATH :=
 
/path/to/android-ndk/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin

 dwarf: module.c
 $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C  $(KDIR)
  CONFIG_DEBUG_INFO=y M=$(PWD) modules
 - The last instruction of the makefile "dwarfdump -di module.ko >
 module.dwarf" was originally with -di option. But -d appears to be not a
 valid option anymore. Checking the man page, the alternatives for  debugging
  options are the following
 --debug-abbrev, --debug-aranges, --debug-frame[=OFFSET],
       --debug-info[=OFFSET], --debug-inlined, --debug-line[=OFFSET],
       --debug-macinfo[=OFFSET], --debug-pubnames[=PATTERN],
       --debug-pubtypes[=PATTERN], --debug-str
 debug-info is the default (which looking at the output of "head
 module.dwarf" seems to be the correct one), so i tried just to remove  the -d
  and also to put --debug-info without any offset
value, but this is what  I
  get as content of the module.dwarf file
 hydra:linux paco$ cat module.dwarf
 ----------------------------------------------------------------------
  File: module.ko (arm)
 ----------------------------------------------------------------------
 .debug_info contents:
 < EMPTY >
 - The last step to make the profile is to zip the module.dwarf file and  the
  System.map of the kernel. After searching around,
I found that  System.map
  file for android is /proc/kallsyms (probably you
all already knew it,  but I
  didn't know this :) ).
 Attached the make file I used, if all the rest of the steps I did are  right,
  it's missing the right debug option for the
dwarfdump command. I've  tried
  also the others but no one seems to give the
right output. Any tips on  this?
  Thanks
 P.
 On Fri, Feb 15, 2013 at 5:41 PM, Andrew Case &lt;atcuno(a)gmail.com&gt; wrote:
>
> Hello,
>
> We are currently testing a stripped down Makefile to help people
> compiling for different kernels than the one for the system they are
> on (which includes Android). Can you please try the attached makefile?
> You will need to change the KDIR varabile to point to your kernel
> headers or source.
>
> On Fri, Feb 15, 2013 at 5:55 AM, Pasquale Stirparo < 
pstirparo(a)gmail.com&gt;
 > wrote:
> > Hi All,
> >
> > I'm trying to make a profile for android device.
> > I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC  Sense
 > > 4.0,
> > kernel 2.6.39.4-g6b459dc).
> >
> > Now, following the instruction here
> > https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I  was
 > > trying to understand how to modify the
makefile under
> > volatility/tools/linux/ , in order to point to my kernel source. The
> > thing
> > is that in from my kernel source folder I couldn't find a proper 
value
 > > for
> > KDIR and KVER (although they should be pretty straightforward  according
 > > to
> > their name) that would fit with the path for make command as from the
> > following source code:
> >
> > pmem: pmem.c
> >         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules
> >
> > dwarf: module.c
> >         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build  CONFIG_DEBUG_INFO=y
 > > M=$(PWD) modules
> >         dwarfdump -di module.ko > module.dwarf
> >         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean
> >
> >
> > Did anyone ever created an android profile? Any hint?
> > I've seen in the mailing list archive a thread "Profile (ZIP) for
> > Android
> > 4.0.3" from Mike (in Cc), any news about that?
> >
> > Thank you
> >
> > P.
> >
> > --
> > Pasquale Stirparo, MEng
> > GCFA, OPST, OWSE, ECCE
> >
> > European Commission - JRC Joint Research Centre
> > Institute for the Protection and Security of the Citizen (IPSC)
> > Digital Citizen Security Unit
> > Via E. Fermi, 2749 - TP 361
> > 21027 Ispra (VA) - Italy
> >
> > PGP Key: 0x4C589FB2
> > Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
> >
> > Disclaimer: The views expressed are purely those of the writer and  may
 > > not
> > in any circumstance be regarded as stating an official position of  the
   >
European Commission.
 >
 > _______________________________________________
 > Vol-users mailing list
 > Vol-users(a)volatilityfoundation.org
 > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
 > 
 --
 Pasquale Stirparo, MEng
 GCFA, OPST, OWSE, ECCE
 European Commission - JRC Joint Research Centre
 Institute for the Protection and Security of the Citizen (IPSC)
 Digital Citizen Security Unit
 Via E. Fermi, 2749 - TP 361
 21027 Ispra (VA) - Italy
 PGP Key: 0x4C589FB2
 Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
 Disclaimer: The views expressed are purely those of the writer and may  not
  in any circumstance be regarded as stating an
official position of the
 European Commission. 
 
 --
 Pasquale Stirparo, MEng
 GCFA, OPST, OWSE, ECCE
 European Commission - JRC Joint Research Centre
 Institute for the Protection and Security of the Citizen (IPSC)
 Digital Citizen Security Unit
 Via E. Fermi, 2749 - TP 361
 21027 Ispra (VA) - Italy
 PGP Key: 0x4C589FB2
 Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
 Disclaimer: The views expressed are purely those of the writer and may not
 in any circumstance be regarded as stating an official position of the
 European Commission.
 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Creating profile for android