Add support for arm based linux memory analysis

[nsvaidya]

I have install all prerequisites and configured everything on my raspberry pi 3. LiME module is able to capture live memory. Module.dwarf is also successfully compiled but due to absence of System.map in /boot directory, I am unable to create profile for arm raspbian. I followed a method suggested by Gus Kenion to create profile. The profile has been successfully made, but, I was not able to analyze the image with that profile. I suggest you to add support or introduce new method to create profiles for arm based devices.

[k-volt]

Here is a System.map file. Can you try it with it and show the way how you did it?

https://github.com/raspberrypi/firmware/tree/master/extra

[nsvaidya]

Hi @markoNR , thanks for your reply. Now I am getting another error while creating profile. Please see the below commands and outputs and help me please. I am on kernel 4.4.38-v7+
`test@test-desktop:~/volatility/tools/linux$ make
make -C //lib/modules/4.4.38-v7+/build CONFIG_DEBUG_INFO=y M="/home/test/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.38-v7+'
Building modules, stage 2.
MODPOST 1 modules
make[1]: Leaving directory '/usr/src/linux-headers-4.4.38-v7+'
dwarfdump -di module.ko > module.dwarf

dwarfdump ERROR: dwarf_attrlist: DW_DLE_UNKNOWN_FORM (242) Possibly corrupt DWARF data (242)
Makefile:10: recipe for target 'dwarf' failed
make: *** [dwarf] Error 1
test@test-desktop:~/volatility/tools/linux$ sudo make
make -C //lib/modules/4.4.38-v7+/build CONFIG_DEBUG_INFO=y M="" modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.38-v7+'
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
make[2]: *** No rule to make target 'arch/arm/tools/gen-mach-types', needed by 'include/generated/mach-types.h'. Stop.
arch/arm/Makefile:315: recipe for target 'archprepare' failed
make[1]: *** [archprepare] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.4.38-v7+'
Makefile:10: recipe for target 'dwarf' failed
make: *** [dwarf] Error 2
`

[k-volt]

Ok here is how I did it:

1. Update your raspberry pi

sudo apt-get update && sudo apt-get upgrade

2. Start rpi-update

sudo rpi-update

3. Reboot

sudo reboot

4. Download and install rpi-source (wiki)

sudo wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/bin/rpi-source && sudo chmod +x /usr/bin/rpi-source && /usr/bin/rpi-source -q --tag-update

And run it:

rpi-source

5. Now you should be able to build it properly, BUT at this point the module.ko file was either build with errors or somehow wrong and I don't know why. So I decided to download and build libdwarf manually.
   (described here)

git clone https://github.com/tomhughes/libdwarf.git
apt-get install libelf1 libelf-dev
cd libdwarf/
./configure
make dd
cp dwarfdump/dwarfdump /usr/local/bin/
cp dwarfdump/dwarfdump.conf /usr/local/lib/
cp libdwarf/libdwarf.a /usr/local/lib
/usr/local/bin/dwarfdump -di ./module.o > module.dwarf

Then run make again in the volatility folder.

6. The last step is to take the file and zip it together with the System.map file. If you get an exception from volatility, you have to checkout the branch where this error is already fixed or just edit the dwarf.py file.

I hope this helps!

[nsvaidya]

Hi @markoNR , thanks for guiding me. Your method works like charm, but there is another problem. Using your method, I am able to compile and run volatility and LiME and I can create the profile as well, but upon running any volatility command, I am getting "No suitable address space mapping found" error. I have attached screenshot below. Please help me to solve this issue.