[Vol-dev] get_symbol

Andrew Case atcuno at gmail.com
Sun Apr 14 17:54:30 CDT 2013


Hello,

Currently, symbols are only pulled from the kernel (vmlinux) so none
of the symbol addresses of modules will be directly available via the
API. It is a future goal of Volatility to support these symbols as
well.

In the meantime, you can use readelf or objdump on the bluetooth .ko
file to get the offset of the symbol from the .data section and then
you can use linux_lsmod with -S to find the .data section of the
bluetooth kernel module in memory then simply add the address + offset
to determine where the symbol is in the memory image.

On Sun, Apr 14, 2013 at 11:27 AM, Pranjal Jumde <pranjal.jumde at gmail.com> wrote:
> Hi,
>
> I am trying to get the value of the symbol "bt_proto" using the member
> function get_symbol, I checked using gdb that this symbol is a part of the
> bluetooth kernel module. But, I get the following error message
> "volatility.plugins.overlays.linux.linux: Requested symbol bt_proto not
> found in module kernel". Any thoughts why this might be happening?
>
> Thanks!
>
> Regards
> Pranjal Jumde
>
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>


More information about the Vol-dev mailing list