Linux Profile Error - KeyError: 'DW_AT_data_member_location'

[mthbrown]

Hi,

I'm currently trying to run Volatility 2 on a custom profile for Ubuntu 22.04. I successfully created the profile by running:

git clone --depth=1 https://github.com/volatilityfoundation/volatility.git
cd volatility/tools/linux
echo 'MODULE_LICENSE("GPL");' >> module.c # to get around the error mentioned here https://github.com/volatilityfoundation/volatility/issues/812
make
zip ubuntu22.04.zip volatility/tools/linux/module.dwarf /boot/System.map-`uname -r`
  adding: volatility/tools/linux/module.dwarf (deflated 91%)
  adding: boot/System.map-5.15.0-33-generic (deflated 80%)

and I can see the profile when I run:

# python vol.py --info | less

Profiles
--------
Linuxubuntu22_04x64   - A Profile for Linux ubuntu22.04 x64
VistaSP0x64           - A Profile for Windows Vista SP0 x64

However, when I try to use the profile, it fails with this error:

# python2 vol.py --plugins=/root/profiles --profile=Linuxubuntu22_04x64 -f /Linux64.mem linux_pslist
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
    main()
  File "vol.py", line 183, in main
    command.execute()
  File "/root/volatility/volatility/plugins/linux/common.py", line 67, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/root/volatility/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/root/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/root/volatility/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/root/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset
    self.load_vtypes()
  File "/root/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/root/volatility/volatility/dwarf.py", line 72, in __init__
    self.feed_line(line)
  File "/root/volatility/volatility/dwarf.py", line 163, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/root/volatility/volatility/dwarf.py", line 267, in process_statement
    d = data['DW_AT_data_member_location']
KeyError: 'DW_AT_data_member_location'

and for the binary version as well:

# ./volatility_2.6_lin64_standalone --plugins=/root/profiles --profile=Linuxubuntu22_04x64 -f /Linux64.mem linux_pslist
Volatility Foundation Volatility Framework 2.6
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
  File "vol.py", line 183, in main
  File "volatility/plugins/linux/common.py", line 64, in execute
  File "volatility/commands.py", line 116, in execute
  File "volatility/plugins/overlays/linux/linux.py", line 216, in __init__
  File "volatility/obj.py", line 862, in __init__
  File "volatility/plugins/overlays/linux/linux.py", line 227, in reset
  File "volatility/plugins/overlays/linux/linux.py", line 264, in load_vtypes
  File "volatility/dwarf.py", line 71, in __init__
  File "volatility/dwarf.py", line 162, in feed_line
  File "volatility/dwarf.py", line 255, in process_statement
KeyError: 'DW_AT_data_member_location'
Failed to execute script vol

I ran into this error for memory captures from both LiME (including with and without the timeout=0 option as mentioned here and AVML. I attached the profile - ubuntu22.04.zip.

Any ideas? Thanks.

UPDATE I was able to successfully run the equivalent command on Volatility 3 by creating a custom Symbols Table that I attached
vmlinux-5.15.0-33-generic.json.gz but I would rather run it on Volatility 2 due to the extra plugins available on Volatility 2

[Woask1]

I've got the exact same issue.

[IridiumXOR]

Same here :/

[MrPickled]

Same issue！Maybe the Volatility Version issue，this standalone might have some problem.

[MrPickled]

Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "", line 192, in
File "", line 183, in main
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.common", line 62, in execute
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line 99, in execute
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.overlays.linux.linux", line 207, in init
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.obj", line 858, in init
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.overlays.linux.linux", line 217, in reset
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.overlays.linux.linux", line 254, in load_vtypes
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.dwarf", line 71, in init
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.dwarf", line 162, in feed_line
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.dwarf", line 204, in process_statement
KeyError: 'DW_AT_byte_size'

Volatility 2.4.0 have the same issue.

[miszr]

I have found what the issue is.

The DWARF data generated seems to be using the DWARFv5 or newer version which Volatility 2 is not able to interpret.

Adding "-gdwarf-4" to KBUILD_CLFAGS in the root Makefile in the kernel source tree solves the issue.

Before:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
endif

After:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

This is a manual solution, requiring changes every time a new profile needs to be generated.
A preferable solution would be adding support for newer DWARF versions in Volatility 2

[Metjuw]

I have found what the issue is.

The DWARF data generated seems to be using the DWARFv5 or newer version which Volatility 2 is not able to interpret.

Adding "-gdwarf-4" to KBUILD_CLFAGS in the root Makefile in the kernel source tree solves the issue.

Before:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g
KBUILD_AFLAGS += -gdwarf-2
endif

After:

ifdef CONFIG_DEBUG_INFO
KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

This is a manual solution, requiring changes every time a new profile needs to be generated. A preferable solution would be adding support for newer DWARF versions in Volatility 2

Could you kindly where the Makefile is located in the kernel source tree please?

The closest I found was the one shown below but it does not have what you mentioned above. I tried including this part:

KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

But I still got the same error as already reported above.

[miszr]

Could you kindly where the Makefile is located in the kernel source tree please?

The closest I found was the one shown below but it does not have what you mentioned above. I tried including this part:

KBUILD_CFLAGS += -g -gdwarf-4
KBUILD_AFLAGS += -gdwarf-2
endif

But I still got the same error as already reported above.

You have found the correct makefile, it should be the top makefile in the kernel source tree.
It just seems you have a different version of the kernel source. I did my discovery of this issue on a 3.10 kernel.

In your case, the addition should be on the line where its written:

DEBUG_CFLAGS     += -g

That is: if CONFIG_DEBUG_INFO is defined and CONFIG_DEBUG_INFO_SPLIT is not defined.

As an alternative, based on the version of the kernel you are using, setting CONFIG_DEBUG_INFO_DWARF4=y while making sure that CONFIG_DEBUG_INFO_DWARF5 and CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT are either unset or set to false, should provide with the same flags as I mentioned in my original comment.

[Metjuw]

Thank you for your reply. 👍

[transcend3nt]

Hi @mthbrown , thanks for solving the issue. How did you import the .zip profile into volatility 3 as you did for volatility 2? Thanks

[mthbrown]

@Metjuw @miszr Did it end up working on newer kernels? Although I no longer get the same error, it runs but gives EXCEPTIONS and can't find the base address:

# python2 vol.py --plugins=/home/vagrant/profiles/ --profile=Linuxubuntu22_04x64 -f /home/vagrant/output.lime linux_pstree
Volatility Foundation Volatility Framework 2.6.1
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
Name                 Pid             Uid
WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 SkipDuplicatesAMD64PagedMemory: No base Address Space
 WindowsAMD64PagedMemory: No base Address Space
 LinuxAMD64PagedMemory: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: -
 WindowsCrashDumpSpace32: Header signature invalid
 SkipDuplicatesAMD64PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 WindowsAMD64PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 LinuxAMD64PagedMemory - EXCEPTION: 'state'
 AMD64PagedMemory - EXCEPTION: 'state'
 IA32PagedMemoryPae: Incompatible profile Linuxubuntu22_04x64 selected
 IA32PagedMemory: Incompatible profile Linuxubuntu22_04x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace - EXCEPTION: 'state'

This is on Ubuntu 22.04 and kernel 5.15.0-53 and this is the section in the /usr/src/linux-headers-5.15.0-53/Makefile with the change mentioned:

ifdef CONFIG_DEBUG_INFO_SPLIT
DEBUG_CFLAGS    += -gsplit-dwarf
else
DEBUG_CFLAGS    += -g
DEBUG_CFLAGS    += -gdwarf-4
endif

I also had to comment out these lines as otherwise it give me the DW_AT_data_member_location error:

# ifndef CONFIG_DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
# dwarf-version-$(CONFIG_DEBUG_INFO_DWARF4) := 4
# dwarf-version-$(CONFIG_DEBUG_INFO_DWARF5) := 5
# DEBUG_CFLAGS    += -gdwarf-$(dwarf-version-y)
# endif

And here is the bash script I used to build it:

#!/bin/bash

cd tools/linux/
make clean
make
cd ../../../
zip ubuntu22.04.zip volatility/tools/linux/module.dwarf /boot/System.map-`uname -r`
mv ubuntu22.04.zip profiles/
cd volatility/
python2 vol.py --plugins=/home/vagrant/profiles/ --profile=Linuxubuntu22_04x64 -f /home/vagrant/output.lime linux_pslist

Any ideas? Thanks

[mthbrown]

@transcend3nt You basically have to:

• download and compile dwarf2json
• install a debug version of the kernel used in the memory dump
• run dwarf2json to generate the symbols table

You are now good to go

[tr4c3datr4il]

@mthbrown

Same issue. I think vol 2 just don't support new kernel now.

[Blue0fSky]

@mthbrown Same issue here too. I'm on a 5.15.0 kernel.

[jotunel]

@mthbrown

Same issue here too. I'm on a 5.19.0-42-generic kernel.

Vol2 definetely does not support the new kernel.

We basically have to try to go to volatility3 and try to build custom symbol files.