Unable to analyze ARMv7 Linux memory dump with Volatility 2.6.1 #847
Description
I am trying to analyze a memory dump from an ARMv7 Linux system using Volatility 2.6.1. The system runs on kernel version 5.15.0.
I have also used qemu monitor to obtain the memory dump with the commands pmemsave or dump-guest-memory, which generated a 32-bit LSB core file, ARM, version 1 (SYSV), SVR4-style.
Since I don't have the /lib/modules/version/build directory on the machine, I have used the kernel source code to generate the module.dwarf file in the /volatility/tools/linux directory with the following commands:
make -C /path/to/kernel/source CONFIG_DEBUG_INFO=y M="$PWD" modules
dwarfdump -di module.ko >module.dwarfI have also cross-compiled the kernel for ARM architecture in order to have the System.map file.
However, when I run Volatility to analyze the memory dump with linux plugin ( like pstree ), I get the following error message:
$ python vol.py -d -f mem.img --profile=Linuxbusybox_armARM linux_pstree
No suitable address space mapping found
Tried to open image as:
....
IA32PagedMemoryPae - EXCEPTION: 'state'
IA32PagedMemory - EXCEPTION: 'state'
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace - EXCEPTION: 'state'I have tested Volatility 3, but it doesn't support ARM architecture. I have verified that the kernel debug information is compiled with the same version of the kernel running on my embedded system.
It seems that the issue is specific to the ARM architecture.
Can anyone provide any suggestions on how to resolve this issue and analyze the memory dump successfully with Volatility 2.6.1 on an ARMv7 Linux system?
Thank you.