Arm64 #726
Arm64 #726
Conversation
Notice that the condition to use ia64 if 64bit is not needed because it already exists in parse_system_map
use the correct size, symbol, shofts for arm64. Don't assume first dt entry cannot be zero.
The main pagetable volatility finds is used for TTBR1, it is used to translate all kernel-space addesses. Userspace addresses should be translated with the per-process dtb, which is used for TTBR0. An address is known to be kernel or userspace by looking at it's high bit.
This implementation parses only the user-pagetable, to avoid returning the entire kernel mapping for each user process.
|
Hi tsahee, Thanks for working on this and submitting a merge request. Are you able to share any memory samples that you used for testing or provide information about the configurations of the system's that you used for testing? I can help coordinate getting you feedback on the merge request. On a related note, you may also consider porting it to Volatility 3 since that is where most of the development effort is focused these days. It would make an interesting submission to the Volatility Plugin Contest! |
|
Thank you! Creating memory dumps can be done with this patched LIme: https://github.com/AGSaidi/LiME.git I can give more detailed instructions, and I am checking in parallel if I can upload a ready profile & memory dump. Currently volatility 2 is our priority, but I will certainly look at volatility 3. |
|
@JRomainG Can you please share that physical dump with me as I was unable to extract one even after so many attempts. It will be very kind of you. |
|
@beena113 I guess this isn't the best place to discuss this, so I dropped you an email directly |
|
@JRomainG Thanks alot! |
|
@tsahee I am creating a profile for volatility to analyze my image "ram-dump.lime" but I got following errors. I downloaded volatility using link https://github.com/tsahee/volatility.git -b arm64". When I run command "python2 vol.py --profile= Linuxandroid-profilearm64 -f ../ram-dump.lime linux_pslist", it shows error "Volatility debug: Invalid profile selected" but when i run command "$ python2 vol.py --info | grep -i android" it shows "Linuxandroid-profilearm64 - A Profile for Linux android-profile arm64".Can you please help me to remove this. |
|
There’s a space before the name of the profile that you need to remove:
Should be
However, from what I understood in your emails, you’re having another issue with the detection of the address space |
|
Yes, I already tried without space. |
|
In that case, the information you provided won’t be of any help, since you’re trying to solve another issue I think it would be best to move this to a separate issue on the dedicated fork to avoid cluttering this thread, and include the information mentioned in the readme:
Including the full output of the command with the |
|
Sure |
Would be great if you could share the lime dump to me too. The email is [email protected] |
|
Hello Panchajanya,
Sorry it was a long time ago and I don't have it now.
Regards, On Tuesday, April 2, 2024 at 03:11:40 PM GMT+5, panchajanya. ***@***.***> wrote:
@beena113 I guess this isn't the best place to discuss this, so I dropped you an email directly
Would be great if you could share the lime dump to me too. The email is ***@***.***
Thank you!
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hello!
This merge request is addressing #687 - adding arm64 linux support for volatility.
I would be very happy to hear your comments on code and fix as needed.
Most work is rather straight forward - adapting for arm64 page-table format and kernel symbols.
supporting dual-pagetables was not entirely straight forward. In arm64 the entire kernel space is translated with a single pagetable for all process, and each userspace has it's own pagetable only translating userspace addresses (separated by the msb). Thus when working on a process two DTBs must be used. In my implementation (in a separate patch): when the arm64 validity checker finds a valid addresspace, it notifies the addresspace that it is valid - and then that DTB will be stored in the addresspace class as the kernel's page-table. The fisrt valid DTB will then be used as kernelspace DTB, while userspace dtbs may come from the address-space constructor.
My implementation for get_available_pages only traverses userspace pages.