Crashes when analysing android memory dumps #394
Description
The crash happens when analysing a memory dump from a Samsung 10.1 inch tablet.
It seems to have the model number GT-7510.
Profile was created by compiling the kernel source obtained from Samsung for
this model. The resulting System.map was used in the profile according to the
Wiki.
What steps will reproduce the problem?
1. Dumping memory on the tablet using lime (lime address space)
2. Attempting to run the linux_pslist module on the image.
What is the expected output? What do you see instead?
I get a crash dump from python when running;
vol.py --profile LinuxAndroid-GT7510x86 -f AndroidDump.lime linux_pslist
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in
vtypes
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
Traceback (most recent call last):
File "/usr/bin/vol.py", line 186, in <module>
main()
File "/usr/bin/vol.py", line 177, in main
command.execute()
File "/usr/lib/python2.7/site-packages/volatility/plugins/linux/common.py", line 55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/usr/lib/python2.7/site-packages/volatility/plugins/linux/pslist.py", line 73, in render_text
task.get_task_start_time())
File "/usr/lib/python2.7/site-packages/volatility/plugins/overlays/linux/linux.py", line 745, in get_task_start_time
data = struct.pack("<I", sec)
struct.error: integer out of range for 'I' format code
Using another plugin alters the error message slightly;
vol.py --profile LinuxAndroid-GT7510x86 -f AndroidDump.lime linux_pstree
Volatile Systems Volatility Framework 2.3_alpha
Name Pid Uid
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in
vtypes
[0??0??@???0] -390250480
.[t] 6
-16777216 0
WARNING : volatility.obj : NoneObject as string: Invalid Address
0xFEFFFDF4, instantiating task_struct
--------------------
Traceback (most recent call last):
File "/usr/bin/vol.py", line 186, in <module>
main()
File "/usr/bin/vol.py", line 177, in main
command.execute()
File "/usr/lib/python2.7/site-packages/volatility/plugins/linux/common.py", line 55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/usr/lib/python2.7/site-packages/volatility/plugins/linux/pstree.py", line 37, in render_text
self.recurse_task(outfd, task, 0)
File "/usr/lib/python2.7/site-packages/volatility/plugins/linux/pstree.py", line 53, in recurse_task
for child in task.children.list_of_type("task_struct", "sibling"):
File "/usr/lib/python2.7/site-packages/volatility/plugins/overlays/linux/linux.py", line 484, in list_of_type
nxt = item.m(member).next.dereference()
AttributeError: 'function' object has no attribute 'dereference'
What version of the product are you using? On what operating system?
Arch linux 3.7.10 - Python 2.7.3
If anyone want to download the memory image it is available on;
http://nyclon.crabdance.com/mem/AndroidDump.lime
Size is 1GB
Original issue reported on code.google.com by nojan1...@gmail.com on 27 Mar 2013 at 6:30
Attachments: