[Vol-users] Samsung Galaxy Nexus RAM Analysis Issue

Quentin Chaki Cha quenberry at hotmail.com
Thu Sep 26 02:38:37 CDT 2013


Omg yes i see what you mean, when i extracted out the /proc/kallsyms from my phone and compared it with the System.map file i made, the addresses are different, as shown below:

00000024 A cpu_v7_suspend_size                      |    c0008000 T stext
c0004000 A swapper_pg_dir                      <
c0008000 T __init_begin                          <
c0008000 T _sinittext                        c0008000 T _sinittext
c0008000 T _stext                        c0008000 T _stext
c0008000 T stext                          |    c0008000 T __init_begin
c0008050 t __create_page_tables                    c0008050 t __create_page_tables
c0008104 t __enable_mmu_loc                    c0008104 t __enable_mmu_loc
c0008110 t __vet_atags                        c0008110 t __vet_atags
c0008148 t __fixup_smp                        c0008148 t __fixup_smp
c0008180 t __fixup_smp_on_up                    c0008180 t __fixup_smp_on_up
c00081a4 t __mmap_switched                    c00081a4 t __mmap_switched
c00081ec t __mmap_switched_data                    c00081ec t __mmap_switched_data
c0008210 T lookup_processor_type                c0008210 T lookup_processor_type
c0008224 t set_reset_devices                    c0008224 t set_reset_devices
c000824c t debug_kernel                          |    c0008248 t debug_kernel
c0008274 t quiet_kernel                          |    c000826c t quiet_kernel
c000829c t init_setup                          |    c0008290 t init_setup
c00082e0 t rdinit_setup                          |    c00082cc t rdinit_setup
c0008324 W smp_setup_processor_id                  |    c0008308 W smp_setup_processor_id
c0008334 W thread_info_cache_init                  |    c0008318 W thread_info_cache_init
c0008344 t loglevel                          |    c0008328 t loglevel
c000837c T parse_early_options                      |    c000835c T parse_early_options
c00083c0 t kernel_init                          |    c0008398 t kernel_init
c0008534 t unknown_bootoption                      |    c00084d0 t unknown_bootoption
c00087b4 T parse_early_param                      |    c00086dc T parse_early_param
c0008808 T start_kernel                          |    c0008724 T start_kernel
c0008b80 t do_early_param                      |    c0008a24 t do_early_param
c0008c5c t readonly                          |    c0008ad4 t readonly
c0008c98 t readwrite                          |    c0008b08 t readwrite
c0008cd4 t rootwait_setup                      |    c0008b3c t rootwait_setup
c0008d0c t root_data_setup                      |    c0008b6c t root_data_setup
c0008d30 t fs_names_setup                      |    c0008b8c t fs_names_setup
c0008d54 t load_ramdisk                          |    c0008bac t load_ramdisk
c0008d88 t root_dev_setup                      |    c0008bdc t root_dev_setup
c0008db8 t root_delay_setup                      |    c0008c04 t root_delay_setup
c0008de8 T change_floppy                      |    c0008c30 T change_floppy
c0008ee4 T mount_block_root                      |    c0008d20 T mount_block_root
c00091ec T mount_root                          |    c0008fdc T mount_root
c0009260 T prepare_namespace                      |    c0009044 T prepare_namespace
c0009498 t prompt_ramdisk                      |    c0009208 t prompt_ramdisk
c00094cc t ramdisk_start_setup                      |    c0009238 t ramdisk_start_setup
c00094fc t error                          |    c0009264 t error
c0009538 t compr_fill                          |    c0009298 t compr_fill
c0009598 t compr_flush                          |    c00092ec t compr_flush
c000960c T rd_load_image                      |    c0009350 T rd_load_image
c0009c64 T rd_load_disk                          |    c0009900 T rd_load_disk
c0009d34 t no_initrd                          |    c00099b4 t no_initrd
c0009d5c T initrd_load                          |    c00099d8 T initrd_load
c000a170 t do_linuxrc                          |    c0009d10 t do_linuxrc
c000a1c4 t error                          |    c0009d58 t error





For example from the above: 
c000829c t init_setup                          |    c0008290 t init_setup

The kallsyms file point the init_setup to c0000829c but the System.map file i compiled myself points it to a different address.

That was just a small extract of the differences when i ran sdiff between the kallsyms file (on the left) and the System.map file i compiled myself (on the right). Okay i understand now, what should i do? The original kernel source code/headers didn't come with a System.map file for me. Any help/suggestion would be deeply appreciated thank you.

> Date: Wed, 25 Sep 2013 22:07:34 -0500
> Subject: Re: [Vol-users] Samsung Galaxy Nexus RAM Analysis Issue
> From: atcuno at gmail.com
> To: quenberry at hotmail.com
> CC: vol-users at volatilityfoundation.org
> 
> Hello,
> 
> Based on your previous email it still looks like you compiled a kernel yourself:
> 
> "#make ARCH=arm CROSS_COMPILE=$CCOMPILER EXTRA_CFLAGS=-fno-pic modules_prepare"
> 
> This will produce a different System.map than than produced by the
> original kernel compilation. Can you see if the addresses of symbols
> in your System.map file match those of /proc/kallsyms on the running
> device?
> 
> On Wed, Sep 25, 2013 at 9:05 PM, Quentin Chaki Cha
> <quenberry at hotmail.com> wrote:
> > Hi People, so over here i have used LiME to extract RAM information out of
> > my Samsung Galaxy Nexus, but I'm currently facing some issues in terms of
> > analyzing as shown below:
> >
> > root at akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
> > /root/majorProject/Nexus.lime --profile LinuxNexusARM linux_pslist
> > Volatile Systems Volatility Framework 2.3_beta
> > Offset     Name                 Pid             Uid             Gid    DTB
> > Start Time
> > ---------- -------------------- --------------- --------------- ------
> > ---------- ----------
> >
> > Regardless of the volatility plugin i use (linux_pslist, linux_lsof), im
> > always getting empty data. I ran the same command with the -dd flag as shown
> > below. Any advice/help in this area would be greatly appreciated thank you
> > :)
> >
> >
> > root at akicha-VirtualBox:~/majorProject/trunk# python vol.py -f
> > /root/majorProject/Nexus.lime --profile LinuxNexusARM -dd linux_pslist
> > Volatile Systems Volatility Framework 2.3_beta
> > DEBUG   : volatility.plugins.overlays.linux.linux: Nexus: Found dwarf file
> > root/majorProject/omap/System.map with 453 symbols
> > DEBUG   : volatility.plugins.overlays.linux.linux: Nexus: Found system file
> > root/majorProject/omap/System.map with 1 symbols
> > DEBUG   : volatility.obj      : Applying modification from BashTypes
> > DEBUG   : volatility.obj      : Applying modification from
> > BasicObjectClasses
> > DEBUG   : volatility.obj      : Applying modification from ELF64Modification
> > DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
> > DEBUG   : volatility.obj      : Applying modification from LimeTypes
> > DEBUG   : volatility.obj      : Applying modification from MachoTypes
> > DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
> > DEBUG   : volatility.obj      : Applying modification from
> > VMwareVTypesModification
> > DEBUG   : volatility.obj      : Applying modification from
> > VirtualBoxModification
> > DEBUG   : volatility.obj      : Applying modification from
> > LinuxKmemCacheOverlay
> > DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
> > cache_chain not found in module kernel
> >
> > DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
> > DEBUG   : volatility.obj      : Applying modification from
> > LinuxObjectClasses
> > DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
> > Offset     Name                 Pid             Uid             Gid    DTB
> > Start Time
> > ---------- -------------------- --------------- --------------- ------
> > ---------- ----------
> > DEBUG   : volatility.utils    : Voting round
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac:
> > need base
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime:
> > need base
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsHiberFileSpace32: No base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsCrashDumpSpace64: No base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No
> > base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > VirtualBoxCoreDumpElf64: No base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> > DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No
> > base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsCrashDumpSpace32: No base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> > DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No
> > base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> > DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No
> > base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> > DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
> > base Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> > DEBUG   : volatility.utils    : Succeeded instantiating
> > <volatility.plugins.addrspaces.standard.FileAddressSpace object at
> > 0x605bad0>
> > DEBUG   : volatility.utils    : Voting round
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> > MachO Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> > DEBUG1  : volatility.obj      : None object instantiated: Invalid Address
> > 0x2C800040, instantiating lime_header
> > DEBUG   : volatility.utils    : Succeeded instantiating
> > <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x605ba90>
> > DEBUG   : volatility.utils    : Voting round
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> > MachO Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
> > Invalid Lime header signature
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsCrashDumpSpace64: Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
> > Invalid magic found
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> > DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
> > Invalid VMware signature: 0x81ed
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsCrashDumpSpace32: Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> > DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
> > Incompatible profile LinuxNexusARM selected
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> > DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
> > Failed valid Address Space check
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> > DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Failed
> > valid Address Space check
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must
> > be first Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> > DEBUG   : volatility.utils    : Succeeded instantiating
> > <volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x605be50>
> > DEBUG   : volatility.utils    : Voting round
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> > MachO Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
> > Invalid Lime header signature
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsCrashDumpSpace64: Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> > DEBUG1  : volatility.obj      : None object instantiated: Invalid Address
> > 0x00000000, instantiating HPAK_HEADER
> > DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
> > Invalid magic found
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
> > DEBUG1  : volatility.obj      : None object instantiated: Invalid Address
> > 0x00000000, instantiating _VMWARE_HEADER
> > DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile:
> > Invalid VMware signature: -
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> > DEBUG1  : volatility.utils    : Failed instantiating
> > WindowsCrashDumpSpace32: Header signature invalid
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> > DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
> > Incompatible profile LinuxNexusARM selected
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> > DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Can
> > not stack over another paging address space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> > DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Can
> > not stack over another paging address space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must
> > be first Address Space
> > DEBUG   : volatility.utils    : Trying <class
> > 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> > DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Can
> > not stack over another paging address space
> > DEBUG1  : volatility.obj      : None object instantiated: Pointer next
> > invalid
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130926/ad462e74/attachment-0001.html


More information about the Vol-users mailing list