[Vol-users] custom Android profile: No suitable address space mapping found

Andrew Case atcuno at gmail.com
Wed Sep 18 10:13:02 CDT 2013


Hello,

If you are still having the same issue (I realize this has not been
responded to in a long time), could you please verify that symbols have the
same address in your System.map file as they do in /proc/kallsyms on the
running system. This will ensure that the System.map file is the same.


On Mon, Jul 1, 2013 at 10:59 PM, Antonios Broumas <antoniosbroumas at yahoo.com
> wrote:

> I have specified format=lime when calling insmod
>
> insmod /sdcard/lime.ko "path=/sdcard/mem.dump format=lime"
>
>   ------------------------------
>  *From:* Joe Sylve <joe.sylve at gmail.com>
> *To:* Antonios Broumas <antoniosbroumas at yahoo.com>
> *Cc:* vol-users at volatilityfoundation.org
> *Sent:* Monday, July 1, 2013 2:57 PM
> *Subject:* Re: [Vol-users] custom Android profile: No suitable address
> space mapping found
>
> What format did you make the memory dump in?  raw, padded, or lime?
>
> On Tue, Jun 25, 2013 at 11:38 PM, Antonios Broumas <
> antoniosbroumas at yahoo.com> wrote:
>
> Good day,
>
> As the title suggests I am working with a custom Android installation and
> I have encountered the "No suitable address space mapping found".
>
> I have not cross-compiled lime.ko and module.ko with exactly the same
> compiler that I used to build the rest of my installation but I have
> carried out the build pointing to the same kernel directories and lime.ko
> can successfully be used to get a memory dump. Can this be the reason for
> the inconsistency?
>
> Here is what I did:
>
> 1. I have downloaded lime from svn:
>
> URL: http://lime-forensics.googlecode.com/svn/trunk/src
> Repository Root: http://lime-forensics.googlecode.com/svn
> Repository UUID: e105e084-e930-c66b-6cfa-9f740464420f
> Revision: 17
> Node Kind: directory
> Schedule: normal
> Last Changed Author: Joe.Sylve at gmail.com
> Last Changed Rev: 15
> Last Changed Date: 2013-03-19 08:10:00 -0700 (Tue, 19 Mar 2013)
>
> 2. I have downloaded volatility from svn:
>
> URL: https://volatility.googlecode.com/svn/trunk
> Repository Root: https://volatility.googlecode.com/svn
> Repository UUID: 8d5d6628-2090-11de-9909-f37ff7dbbc12
> Revision: 3444
> Node Kind: directory
> Schedule: normal
> Last Changed Author: michael.hale at gmail.com
> Last Changed Rev: 3440
> Last Changed Date: 2013-06-18 10:08:37 -0700 (Tue, 18 Jun 2013)
>
> 3. I have cross-compiled lime for a custom android installation and
> produced a kernel module and with it I have successfully retrieved a memory
> dump of size a little less than 2GB.
>
> 1951400096 Jun 25 14:50 mem.dump
>
> 4. I have also created a profile pointing to the same custom android
> installatin:
>
> *** note that pmem is not visited and pmem.c is not compiled ***
>
> cd volatility/tools/linux
> edit Makefile and cross-compile module.c and produce module.ko
> dwarfdump -di module.ko > module.dwarf
>
> head module.dwarf
>
> .debug_info
>
> <0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<"GNU C 4.6.x-google
> 20120106 (prerelease)"> DW_AT_language<DW_LANG_C89>
> DW_AT_name<"/home/antonios/dev/tools/volatility/tools/linux/module.c">
> DW_AT_comp_dir<"/media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/out/target/product/jflteatt/obj/KERNEL_OBJ">
> DW_AT_low_pc<0x00000000> DW_AT_high_pc<0x00000000>
> DW_AT_stmt_list<0x00000000> <Unknown AT value 0x2134><0> <Unknown AT value
> 0x2135><0>
> <1><0x2d><DW_TAG_typedef> DW_AT_name<"__s8"> DW_AT_decl_file<0x00000001
> /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h>
> DW_AT_decl_line<0x00000013> DW_AT_type<<0x00000038>>
> <1><0x38><DW_TAG_base_type> DW_AT_byte_size<0x00000001>
> DW_AT_encoding<DW_ATE_signed_char> DW_AT_name<"signed char">
> <1><0x3f><DW_TAG_typedef> DW_AT_name<"__u8"> DW_AT_decl_file<0x00000001
> /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h>
> DW_AT_decl_line<0x00000014> DW_AT_type<<0x0000004a>>
> <1><0x4a><DW_TAG_base_type> DW_AT_byte_size<0x00000001>
> DW_AT_encoding<DW_ATE_unsigned_char> DW_AT_name<"unsigned char">
> <1><0x51><DW_TAG_typedef> DW_AT_name<"__s16"> DW_AT_decl_file<0x00000001
> /media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/kernel/include/asm-generic/int-ll64.h>
> DW_AT_decl_line<0x00000016> DW_AT_type<<0x0000005c>>
> <1><0x5c><DW_TAG_base_type> DW_AT_byte_size<0x00000002>
> DW_AT_encoding<DW_ATE_signed> DW_AT_name<"short int">
>
> zip volatility/volatility/plugins/overlays/linux/mylinux.zip module.dwarf
> System.map
>
>   adding: home/antonios/dev/tools/volatility/tools/linux/module.dwarf
> (deflated 92%)
>   adding:
> media/DATADRIVE1/B2B_ANTONIOSTIMAE_JFLTE_ATT_SERVER/android/out/target/product/jflteatt/obj/KERNEL_OBJ/System.map
> (deflated 74%)
>
> 5. python vol.py --info
>
> LinuxmylinuxARM - A Profile for Linux mylinux ARM
>
> 6. however
>
> python vol.py --profile=LinuxmylinuxARM -f mem.dump linux_pslist
>
> results in:
>
> Volatile Systems Volatility Framework 2.3_beta
> Offset     Name                 Pid             Uid             Gid    DTB
>        Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
> No suitable address space mapping found
> Tried to open image as:
>  MachOAddressSpace: mac: need base
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  HPAKAddressSpace: No base Address Space
>  VirtualBoxCoreDumpElf64: No base Address Space
>  VMWareSnapshotFile: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  IA32PagedMemoryPae: No base Address Space
>  IA32PagedMemory: No base Address Space
>  MachOAddressSpace: MachO Header signature invalid
>  MachOAddressSpace: MachO Header signature invalid
>  LimeAddressSpace: Invalid Lime header signature
>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>  WindowsCrashDumpSpace64: Header signature invalid
>  HPAKAddressSpace: Invalid magic found
>  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
>  VMWareSnapshotFile: Invalid VMware signature: 0x0
>  WindowsCrashDumpSpace32: Header signature invalid
>  AMD64PagedMemory: Incompatible profile LinuxmylinuxARM selected
>  IA32PagedMemoryPae: Failed valid Address Space check
>  IA32PagedMemory: Failed valid Address Space check
>  FileAddressSpace: Must be first Address Space
>  ArmAddressSpace: Failed valid Address Space check
>
> I have not cross-compiled lime.ko and module.ko with exactly the same
> compiler that I used to build the rest of my installation but I have
> carried out the build pointing to the same kernel directories and lime.ko
> can successfully be used to get a memory dump. Can this be the reason for
> the inconsistency?
>
> Antonios
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130918/5c17ed95/attachment.html


More information about the Vol-users mailing list