Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux Profile Error - KeyError: 'DW_AT_data_member_location' #828

Open
mthbrown opened this issue Sep 8, 2022 · 30 comments
Open

Linux Profile Error - KeyError: 'DW_AT_data_member_location' #828

mthbrown opened this issue Sep 8, 2022 · 30 comments

Comments

@mthbrown
Copy link

mthbrown commented Sep 8, 2022

Hi,

I'm currently trying to run Volatility 2 on a custom profile for Ubuntu 22.04. I successfully created the profile by running:

git clone --depth=1 https://github.com/volatilityfoundation/volatility.git
cd volatility/tools/linux
echo 'MODULE_LICENSE("GPL");' >> module.c # to get around the error mentioned here https://github.com/volatilityfoundation/volatility/issues/812
make
zip ubuntu22.04.zip volatility/tools/linux/module.dwarf /boot/System.map-`uname -r`
  adding: volatility/tools/linux/module.dwarf (deflated 91%)
  adding: boot/System.map-5.15.0-33-generic (deflated 80%)

and I can see the profile when I run:

# python vol.py --info | less

Profiles
--------
Linuxubuntu22_04x64   - A Profile for Linux ubuntu22.04 x64
VistaSP0x64           - A Profile for Windows Vista SP0 x64

However, when I try to use the profile, it fails with this error:

# python2 vol.py --plugins=/root/profiles --profile=Linuxubuntu22_04x64 -f /Linux64.mem linux_pslist
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
    main()
  File "vol.py", line 183, in main
    command.execute()
  File "/root/volatility/volatility/plugins/linux/common.py", line 67, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/root/volatility/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/root/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/root/volatility/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/root/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset
    self.load_vtypes()
  File "/root/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/root/volatility/volatility/dwarf.py", line 72, in __init__
    self.feed_line(line)
  File "/root/volatility/volatility/dwarf.py", line 163, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/root/volatility/volatility/dwarf.py", line 267, in process_statement
    d = data['DW_AT_data_member_location']
KeyError: 'DW_AT_data_member_location'

and for the binary version as well:

# ./volatility_2.6_lin64_standalone --plugins=/root/profiles --profile=Linuxubuntu22_04x64 -f /Linux64.mem linux_pslist
Volatility Foundation Volatility Framework 2.6
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
  File "vol.py", line 183, in main
  File "volatility/plugins/linux/common.py", line 64, in execute
  File "volatility/commands.py", line 116, in execute
  File "volatility/plugins/overlays/linux/linux.py", line 216, in __init__
  File "volatility/obj.py", line 862, in __init__
  File "volatility/plugins/overlays/linux/linux.py", line 227, in reset
  File "volatility/plugins/overlays/linux/linux.py", line 264, in load_vtypes
  File "volatility/dwarf.py", line 71, in __init__
  File "volatility/dwarf.py", line 162, in feed_line
  File "volatility/dwarf.py", line 255, in process_statement
KeyError: 'DW_AT_data_member_location'
Failed to execute script vol

I ran into this error for memory captures from both LiME (including with and without the timeout=0 option as mentioned here and AVML. I attached the profile - ubuntu22.04.zip.

Any ideas? Thanks.

UPDATE I was able to successfully run the equivalent command on Volatility 3 by creating a custom Symbols Table that I attached
vmlinux-5.15.0-33-generic.json.gz but I would rather run it on Volatility 2 due to the extra plugins available on Volatility 2

@Woask1
Copy link

Woask1 commented Oct 17, 2022

I've got the exact same issue.

@IridiumXOR
Copy link

Same here :/

@MrPickled
Copy link

Same issue!Maybe the Volatility Version issue,this standalone might have some problem.

@MrPickled
Copy link

Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "", line 192, in
File "", line 183, in main
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.common", line 62, in execute
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line 99, in execute
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.overlays.linux.linux", line 207, in init
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.obj", line 858, in init
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.overlays.linux.linux", line 217, in reset
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.overlays.linux.linux", line 254, in load_vtypes
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.dwarf", line 71, in init
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.dwarf", line 162, in feed_line
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.dwarf", line 204, in process_statement
KeyError: 'DW_AT_byte_size'

Volatility 2.4.0 have the same issue.

@miszr
Copy link

miszr commented Nov 7, 2022

I have found what the issue is.

The DWARF data generated seems to be using the DWARFv5 or newer version which Volatility 2 is not able to interpret.

Adding "-gdwarf-4" to KBUILD_CLFAGS in the root Makefile in the kernel source tree solves the issue.

Before:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
endif

After:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

This is a manual solution, requiring changes every time a new profile needs to be generated.
A preferable solution would be adding support for newer DWARF versions in Volatility 2

@Metjuw
Copy link

Metjuw commented Nov 10, 2022

I have found what the issue is.

The DWARF data generated seems to be using the DWARFv5 or newer version which Volatility 2 is not able to interpret.

Adding "-gdwarf-4" to KBUILD_CLFAGS in the root Makefile in the kernel source tree solves the issue.

Before:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
endif

After:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

This is a manual solution, requiring changes every time a new profile needs to be generated. A preferable solution would be adding support for newer DWARF versions in Volatility 2

Could you kindly where the Makefile is located in the kernel source tree please?

The closest I found was the one shown below but it does not have what you mentioned above. I tried including this part:

KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

But I still got the same error as already reported above.

gdwarf

@miszr
Copy link

miszr commented Nov 15, 2022

Could you kindly where the Makefile is located in the kernel source tree please?

The closest I found was the one shown below but it does not have what you mentioned above. I tried including this part:

KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

But I still got the same error as already reported above.

gdwarf

You have found the correct makefile, it should be the top makefile in the kernel source tree.
It just seems you have a different version of the kernel source. I did my discovery of this issue on a 3.10 kernel.

In your case, the addition should be on the line where its written:

DEBUG_CFLAGS     += -g

That is: if CONFIG_DEBUG_INFO is defined and CONFIG_DEBUG_INFO_SPLIT is not defined.

As an alternative, based on the version of the kernel you are using, setting CONFIG_DEBUG_INFO_DWARF4=y while making sure that CONFIG_DEBUG_INFO_DWARF5 and CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT are either unset or set to false, should provide with the same flags as I mentioned in my original comment.

@Metjuw
Copy link

Metjuw commented Nov 15, 2022

Thank you for your reply. 👍

@transcend3nt
Copy link

Hi @mthbrown , thanks for solving the issue. How did you import the .zip profile into volatility 3 as you did for volatility 2? Thanks

@mthbrown
Copy link
Author

mthbrown commented Feb 20, 2023

@Metjuw @miszr Did it end up working on newer kernels? Although I no longer get the same error, it runs but gives EXCEPTIONS and can't find the base address:

# python2 vol.py --plugins=/home/vagrant/profiles/ --profile=Linuxubuntu22_04x64 -f /home/vagrant/output.lime linux_pstree
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
Name                 Pid             Uid
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: -
 WindowsCrashDumpSpace32: Header signature invalid
 SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 WindowsAMD64PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 LinuxAMD64PagedMemory - EXCEPTION: 'state'
 AMD64PagedMemory - EXCEPTION: 'state'
 IA32PagedMemoryPae: Incompatible profile Linuxubuntu22_04x64 selected
 IA32PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace - EXCEPTION: 'state'

This is on Ubuntu 22.04 and kernel 5.15.0-53 and this is the section in the /usr/src/linux-headers-5.15.0-53/Makefile with the change mentioned:

ifdef CONFIG_DEBUG_INFO_SPLIT
DEBUG_CFLAGS    += -gsplit-dwarf
else
DEBUG_CFLAGS    += -g
DEBUG_CFLAGS    += -gdwarf-4
endif

I also had to comment out these lines as otherwise it give me the DW_AT_data_member_location error:

# ifndef CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
# dwarf-version-$(CONFIG_DEBUG_INFO_DWARF4) := 4
# dwarf-version-$(CONFIG_DEBUG_INFO_DWARF5) := 5
# DEBUG_CFLAGS    += -gdwarf-$(dwarf-version-y)
# endif

And here is the bash script I used to build it:

#!/bin/bash

cd tools/linux/
make clean
make
cd ../../../
zip ubuntu22.04.zip volatility/tools/linux/module.dwarf /boot/System.map-`uname -r`
mv ubuntu22.04.zip profiles/
cd volatility/
python2 vol.py --plugins=/home/vagrant/profiles/ --profile=Linuxubuntu22_04x64 -f /home/vagrant/output.lime linux_pslist

Any ideas? Thanks

@mthbrown
Copy link
Author

@transcend3nt You basically have to:

  • download and compile dwarf2json
  • install a debug version of the kernel used in the memory dump
  • run dwarf2json to generate the symbols table

You are now good to go

@tr4c3datr4il
Copy link

tr4c3datr4il commented Mar 8, 2023

@mthbrown

Same issue. I think vol 2 just don't support new kernel now.

@Blue0fSky
Copy link

@mthbrown Same issue here too. I'm on a 5.15.0 kernel.

@jotunel
Copy link

jotunel commented May 28, 2023

@mthbrown

Same issue here too. I'm on a 5.19.0-42-generic kernel.

Vol2 definetely does not support the new kernel.

We basically have to try to go to volatility3 and try to build custom symbol files.

@miszr
Copy link

miszr commented May 29, 2023

@transcend3nt You basically have to:

  • download and compile dwarf2json
  • install a debug version of the kernel used in the memory dump
  • run dwarf2json to generate the symbols table

You are now good to go

Your solution is only valid for Volatility 3. It does not work for Volatility 2 since it uses profiles instead of symbol files.

@miszr
Copy link

miszr commented May 29, 2023

@mthbrown @jotunel @BlackDeeer @1259iknowthat

A have just created a PR #852 that fixes issues with newer kernel releases.

I believe this issue should be closed.

@mthbrown
Copy link
Author

mthbrown commented Jun 11, 2023

@miszr Thanks but I'm still getting the same error even after installing your PR (kernel 5.15.0-53)

Here is a quick way to reproduce the issue. Just start a Vagrant box and run it:

# per-requisities
sudo apt update
sudo apt install -y make python2 linux-headers-$(uname -r) build-essential dwarfdump python2-dev

# install pip
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2 get-pip.py

# install pip dependencies
cd
python2 -m pip install pycrypto==2.6.1 distorm3==3.4.4

# install AVML and dump memory
cd
wget https://github.com/microsoft/avml/releases/download/v0.11.2/avml
chmod +x avml
sudo ./avml output.lime
sudo chmod 666 output.lime

# install volatility
git clone --depth=1 https://github.com/volatilityfoundation/volatility.git
cd volatility/
git fetch origin pull/852/head:kernel5
git checkout kernel5
cd tools/linux
echo 'MODULE_LICENSE("GPL");' >> module.c
make

# generate profile
sudo chmod -R 666 /boot/*
cd
zip ubuntu22.04.zip volatility/tools/linux/module.dwarf /boot/System.map-`uname -r`
mkdir profiles
mv ubuntu22.04.zip profiles/

# run it
cd
cd volatility
python2 vol.py --plugins=/home/vagrant/profiles --profile=Linuxubuntu22_04x64 -f /home/vagrant/output.lime linux_pslist

@miszr
Copy link

miszr commented Jun 13, 2023

@mthbrown: Could you please attempt to use the following patch with the Makefile used in the tools/linux directory:

--- Makefile.orig	2023-06-13 07:38:03.065860789 +0200
+++ Makefile		2023-05-29 12:43:40.823489421 +0200
@@ -7,7 +7,7 @@
 all: dwarf 
 
 dwarf: module.c
-	$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y M="$(PWD)" modules
+	$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y CONFIG_DEBUG_INFO_DWARF4=y M="$(PWD)" modules
 	dwarfdump -di module.ko > module.dwarf
 	$(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M="$(PWD)" clean

@mthbrown
Copy link
Author

@miszr Still didn't work. Here's the Makefile after applying your suggestion:

obj-m += module.o
KDIR ?= /
KVER ?= $(shell uname -r)

-include version.mk

all: dwarf

dwarf: module.c
        $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y CONFIG_DEBUG_INFO_DWARF4=y M="$(PWD)" modules
        dwarfdump -di module.ko > module.dwarf
        $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M="$(PWD)" clean

clean:
        $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M="$(PWD)" clean
        rm -f module.dwarf

miszr added a commit to miszr/volatility that referenced this issue Jun 14, 2023
@miszr
Copy link

miszr commented Jun 14, 2023

@mthbrown: Just created a pull-request which should solve this once and for all by adding support for DWARFv5.

See PR #854

@mthbrown
Copy link
Author

@miszr The initial error has gone away but modules don't run successfully. For example:

$ python2 vol.py --plugins=/home/vagrant/profiles --profile=Linuxubuntu22_04x64 -f /home/vagrant/output.lime linux_pslist
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
Offset             Name                 Pid             PPid            Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: -
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 WindowsAMD64PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 LinuxAMD64PagedMemory - EXCEPTION: 'state'
 AMD64PagedMemory - EXCEPTION: 'state'
 IA32PagedMemoryPae: Incompatible profile Linuxubuntu22_04x64 selected
 IA32PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace - EXCEPTION: 'state'

@miszr
Copy link

miszr commented Jun 16, 2023

@mthbrown: See PR #852 for a solution to the "state" exception.

This is a separate issue related to a field in a struct changing names in newer kernels.

@mthbrown
Copy link
Author

@miszr I'm a little confused. So should I apply both PRs to get it to work?

@miszr
Copy link

miszr commented Jun 16, 2023

@mthbrown: That is correct. These are two separate issues solved by two separate PRs.

Original issue is related with the DWARF debug information being of a newer version than Volatility 2 could handle. That is solved in PR #854.

The exception issue is caused by a field being renamed in a struct. This is solved by PR #852.

@mthbrown
Copy link
Author

@miszr Looks like it works :)

Will try to test it more with other plugins

Thanks a lot

By the way, I noticed that you mentioned that this is for kernels >= 5.14-rc1. Does this mean that kernels in 5.x that aren't greater than .14 aren't supported?

$ python2 vol.py --plugins=/home/vagrant/profiles --profile=Linuxubuntu22_04x64 -f /home/vagrant/output.lime linux_pslist
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
Offset             Name                 Pid             PPid            Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff8dec002aaf80 systemd              1               0               0               0      0x00000001009a2000 2023-06-15 22:53:15 UTC+0000
0xffff8dec002a8000 kthreadd             2               0               0               0      ------------------ 2023-06-15 22:53:15 UTC+0000
0xffff8dec002ac740 rcu_gp               3               2               0               0      ------------------ 2023-06-15 22:53:15 UTC+0000
0xffff8dec002adf00 rcu_par_gp           4               2               0               0      ------
...

@miszr
Copy link

miszr commented Jun 17, 2023

@mthbrown: Great to hear that it works.

All Linux kernels, as far as I have tested, work with the PRs i have created. PR #852 adds support for newer kernels. Older kernels work as before. Basically PR #852 attempts to use the old method(looking for a field called state) and if that fails looks for a field called __state. This change was introduced in 5.14-rc1.

Once your satisfied with your testing. Please close this issue to indicate that it has been solved.

@mthbrown
Copy link
Author

Tried it out on a 6.x kernel. Unfortunately, it is back to not finding the base address. This is on Ubuntu 22.04 with a mainline kernel (6.3.7) installed

$ python2 vol.py --plugins=/home/vagrant/profiles --profile=Linuxubuntu22_04-6_3_7x64 -f /home/vagrant/output2.lime linux_pslist
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
Offset             Name                 Pid             PPid            Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VMWareMetaAddressSpace: VMware metadata file is not available
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: -
 WindowsCrashDumpSpace32: Header signature invalid
 SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxubuntu22_04-6_3_7x64 selected
 WindowsAMD64PagedMemory: Incompatible profile Linuxubuntu22_04-6_3_7x64 selected
 LinuxAMD64PagedMemory: Failed valid Address Space check
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile Linuxubuntu22_04-6_3_7x64 selected
 IA32PagedMemory: Incompatible profile Linuxubuntu22_04-6_3_7x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check

@miszr
Copy link

miszr commented Jun 19, 2023

@mthbrown: Just did a test with Ubuntu 23.04 with kernel 6.3.7-060307 running in VirtualBox and performing a memory dump using the debugvm and dumpvmcore commands. Everything worked as intended.

Maybe your memory dump is somehow incorrect?
This is no longer related to the DW_AT_data_member_location error.

Mark this issue as solved but do not close it, as it still affects the master branch of volatility 2.

@maromanparkour
Copy link

I have found what the issue is.

The DWARF data generated seems to be using the DWARFv5 or newer version which Volatility 2 is not able to interpret.

Adding "-gdwarf-4" to KBUILD_CLFAGS in the root Makefile in the kernel source tree solves the issue.

Before:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
endif

After:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

This is a manual solution, requiring changes every time a new profile needs to be generated. A preferable solution would be adding support for newer DWARF versions in Volatility 2

I have also problem with Linux Profile Error - KeyError: 'DW_AT_data_member_location' but I use Ubuntu 6.2.0-36 generic and can't find the line in the Makefile where I'm supposed to do this change.

@miszr
Copy link

miszr commented Jan 25, 2024

I have found what the issue is.
The DWARF data generated seems to be using the DWARFv5 or newer version which Volatility 2 is not able to interpret.
Adding "-gdwarf-4" to KBUILD_CLFAGS in the root Makefile in the kernel source tree solves the issue.
Before:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
endif

After:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

This is a manual solution, requiring changes every time a new profile needs to be generated. A preferable solution would be adding support for newer DWARF versions in Volatility 2

I have also problem with Linux Profile Error - KeyError: 'DW_AT_data_member_location' but I use Ubuntu 6.2.0-36 generic and can't find the line in the Makefile where I'm supposed to do this change.

See the following comments:

#828 (comment)
#828 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests