Add support for arm based linux memory analysis about profiles HOT 4 OPEN

Here is a System.map file. Can you try it with it and show the way how you did it?

https://github.com/raspberrypi/firmware/tree/master/extra

from profiles.

Hi @markoNR , thanks for your reply. Now I am getting another error while creating profile. Please see the below commands and outputs and help me please. I am on kernel 4.4.38-v7+
`test@test-desktop:~/volatility/tools/linux$ make
make -C //lib/modules/4.4.38-v7+/build CONFIG_DEBUG_INFO=y M="/home/test/volatility/tools/linux" modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.38-v7+'
Building modules, stage 2.
MODPOST 1 modules
make[1]: Leaving directory '/usr/src/linux-headers-4.4.38-v7+'
dwarfdump -di module.ko > module.dwarf

dwarfdump ERROR: dwarf_attrlist: DW_DLE_UNKNOWN_FORM (242) Possibly corrupt DWARF data (242)
Makefile:10: recipe for target 'dwarf' failed
make: *** [dwarf] Error 1
test@test-desktop:~/volatility/tools/linux$ sudo make
make -C //lib/modules/4.4.38-v7+/build CONFIG_DEBUG_INFO=y M="" modules
make[1]: Entering directory '/usr/src/linux-headers-4.4.38-v7+'
CHK include/config/kernel.release
CHK include/generated/uapi/linux/version.h
CHK include/generated/utsrelease.h
make[2]: *** No rule to make target 'arch/arm/tools/gen-mach-types', needed by 'include/generated/mach-types.h'. Stop.
arch/arm/Makefile:315: recipe for target 'archprepare' failed
make[1]: *** [archprepare] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-4.4.38-v7+'
Makefile:10: recipe for target 'dwarf' failed
make: *** [dwarf] Error 2
`

from profiles.

Ok here is how I did it:

1. Update your raspberry pi

sudo apt-get update && sudo apt-get upgrade

2. Start rpi-update

sudo rpi-update

3. Reboot

sudo reboot

4. Download and install rpi-source (wiki)

sudo wget https://raw.githubusercontent.com/notro/rpi-source/master/rpi-source -O /usr/bin/rpi-source && sudo chmod +x /usr/bin/rpi-source && /usr/bin/rpi-source -q --tag-update

And run it:

rpi-source

5. Now you should be able to build it properly, BUT at this point the module.ko file was either build with errors or somehow wrong and I don't know why. So I decided to download and build libdwarf manually.
   (described here)

git clone https://github.com/tomhughes/libdwarf.git
apt-get install libelf1 libelf-dev
cd libdwarf/
./configure
make dd
cp dwarfdump/dwarfdump /usr/local/bin/
cp dwarfdump/dwarfdump.conf /usr/local/lib/
cp libdwarf/libdwarf.a /usr/local/lib
/usr/local/bin/dwarfdump -di ./module.o > module.dwarf

Then run make again in the volatility folder.

6. The last step is to take the file and zip it together with the System.map file. If you get an exception from volatility, you have to checkout the branch where this error is already fixed or just edit the dwarf.py file.

I hope this helps!

from profiles.

Hi @markoNR , thanks for guiding me. Your method works like charm, but there is another problem. Using your method, I am able to compile and run volatility and LiME and I can create the profile as well, but upon running any volatility command, I am getting "No suitable address space mapping found" error. I have attached screenshot below. Please help me to solve this issue.

from profiles.