-
Notifications
You must be signed in to change notification settings - Fork 0
Profile for Volatility
Sam Duy edited this page Feb 14, 2018
·
3 revisions
In order to make a Volatility profile, we need two files:
- A vtypes (kernel's data structure) file:
module.dwarf - A Symbols file:
System.map
$ sudo apt-get install dwarfdumpAfter compiling the kernel, one file named module.o will be created in linux/kernel. (Make sure to enable CONFIG_DEBUG_INFO=y when compiling so that this file can contain debug information. Otherwise, this step is useless).
$ cd [build_root]/linux/kernel
$ dwarfdump -di ./module.o > module.dwarfThe file module.dwarf is what we need for the next steps.
- Test the file:
$ head module.dwarf
.debug_info
<0><0x0+0xb><DW_TAG_compile_unit> DW_AT_producer<GNU C89 7.2.0 -mlittle-endian -mabi=aapcs-linux -mno-thumb-interwork -mfpu=vfp -marm -march=armv5te -mtune=arm9tdmi -mfloat-abi=soft -mtls-dialect=gnu -g -Os -std=gnu90 -fno-strict-aliasing -fno-common -fno-dwarf2-cfi-asm -fno-ipa-sra -funwind-tables -fno-delete-null-pointer-checks -fno-stack-protector -fomit-frame-pointer -fno-var-tracking-assignments -fno-strict-overflow -fconserve-stack --param allow-store-data-races=0> DW_AT_language<DW_LANG_C89> DW_AT_name<kernel/module.c> DW_AT_comp_dir<...After compiling the kernel, one file named System.map will be created in [build_root]/linux folder. That's the file we need for the next steps
$ mkdir uClinux_profile
$ cd uClinux_profile
$ cp [build_root]/linux/kernel/module.dwarf .
$ mkdir boot
$ cd boot
$ cp [build_root]/linux/System.map
$ cd ..
$ zip uClinux.zip boot/System.map module.dwarf$ cd /path/to/volatility
$ cp /path/to/uClinux_profile.zip plugins/overlays/linux/$ python vol.py --info | grep uClinux
Volatility Foundation Volatility Framework 2.6
LinuxuClinux_ARM_VersatilePBARM - A Profile for Linux uClinux_ARM_VersatilePB ARM- Background
- Anatomy of Volatility
- Profile for Volatility
- uClinux profile for Volatility
- Results
- Conclusion
- Advanced topics