[Vol-users] KeyError int128 unsigned in dwarfpy when using Volatility for Android RAM dump

baumgarr baumgarr at fim.uni-passau.de
Wed Jul 12 04:11:13 EDT 2017

I posted this question already, but i could not find it on the  
archive, so I am trying it again.

I am doing some research on RAM extraction and analysis in Android (6  
Marshmallow). I succeeded in compiling my own Kernel with enabled  
CONFIG_MODULE_LOAD and installing it onto my Nexus 5X. Creating the  
LiME module to extract the RAM was also successful, I could get a  
memory dump of the device on my computer. In a Hex-editor, I can see  
content of the RAM (boot pictures, text messages,…).
I also asked this question at stackoverflow, it is better readable  
there due to formatting reasons:  

But now I have problems using Volatility 2.6. My steps so far:
•	get volatility

git clone https://github.com/volatilityfoundation/volatility.git
cd volatility/tools/linux

•	Adjust Makefile (I also had to uncomment #define RADIX_TREE_MAX_TAGS  
2 in the module.o, otherwise I got an error during make)

obj-m += module.o

KDIR := /root/compile/msm/
CCPATH := /root/compile/msm/aarch64-linux-android-4.9/bin

-include version.mk

all: dwarf

dwarf: module.c
     $(MAKE) ARCH=arm64 CROSS_COMPILE=$(CCPATH)/aarch64-linux-android-  
-C $(KDIR) \
     CONFIG_DEBUG_INFO=y M=$(PWD) modules
           dwarfdump -di module.ko > module.dwarf

•	Combine System.map (created during kernel compilation) and  
module.dwarf (created during make) and copy the .zip it into the  
overlays directory

zip Nexus5X.zip module.dwarf ../../../System.map
cp Nexus5X.zip ../../volatility/plugins/overlays/linux/

•	run volatility

python vol.py --profile=LinuxNexus5Xx64 -f  
/root/Documents/nexus-ram.dump linux_pslist

The parameters are all correct - the profile exists, the file also and  
linux_pslist is a valid command. But even with other commands such as  
linux_cpuinfo, I get the following error:

root at kali:~/compile/msm/volatility-2.6# python vol.py  
--profile=LinuxNexus5Xx64 -f /root/Documents/nexus-ram.dump linux_pslist
Volatility Foundation Volatility Framework 2.6
Traceback (most recent call last):
   File "vol.py", line 192, in <module>
   File "vol.py", line 183, in main
line 64, in execute
     commands.Command.execute(self, *args, **kwargs)
   File "/root/compile/msm/volatility-2.6/volatility/commands.py",  
line 116, in execute
     if not self.is_valid_profile(profs[self._config.PROFILE]()):
line 216, in __init__
     obj.Profile.__init__(self, *args, **kwargs)
   File "/root/compile/msm/volatility-2.6/volatility/obj.py", line  
862, in __init__
line 227, in reset
line 264, in load_vtypes
     vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
   File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line  
71, in __init__
   File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line  
162, in feed_line
     self.process_statement(**parsed) #pylint: disable-msg=W0142
   File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line  
225, in process_statement
     self.id_to_name[statement_id] = [self.base_type_name(data)]
   File "/root/compile/msm/volatility-2.6/volatility/dwarf.py", line  
125, in base_type_name
     return self.tp2vol[data['DW_AT_name'].strip('"')]
KeyError: '__int128 unsigned'

Can you help me figuring out the error and how to solve it? Or any  
related work which did RAM extraction from Android > 5.0 ?
The string "__int128 unsigned" is inside the module.dwarf two times. I  
posted the Module.dwarf here as it would be too big for this mail (it  
needs some time until the web page appears):  

Thanks in advance!

More information about the Vol-users mailing list