{"id":13738923,"url":"https://github.com/volatilityfoundation/dwarf2json","last_synced_at":"2025-04-04T23:06:37.295Z","repository":{"id":39097670,"uuid":"88587728","full_name":"volatilityfoundation/dwarf2json","owner":"volatilityfoundation","description":"convert ELF/DWARF symbol and type information into vol3's intermediate JSON","archived":false,"fork":false,"pushed_at":"2024-10-09T00:01:39.000Z","size":74,"stargazers_count":116,"open_issues_count":14,"forks_count":30,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-03-28T22:11:24.134Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/volatilityfoundation.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-04-18T06:01:19.000Z","updated_at":"2025-03-12T23:29:27.000Z","dependencies_parsed_at":"2024-01-25T00:05:35.836Z","dependency_job_id":"f044fd7c-5848-4291-8685-ca2601fc1cfe","html_url":"https://github.com/volatilityfoundation/dwarf2json","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fdwarf2json","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fdwarf2json/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fdwarf2json/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/volatilityfoundation%2Fdwarf2json/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/volatilityfoundation","download_url":"https://codeload.github.com/volatilityfoundation/dwarf2json/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247261600,"owners_count":20910108,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T04:00:20.237Z","updated_at":"2025-04-04T23:06:37.276Z","avatar_url":"https://github.com/volatilityfoundation.png","language":"Go","funding_links":[],"categories":["Tool"],"sub_categories":["Memory Analysis"],"readme":"# Introduction\n\n`dwarf2json` is a Go utility that processes files containing symbol and type\ninformation to generate [Volatility3](https://github.com/volatilityfoundation/volatility3)\nIntermediate Symbol File (ISF) JSON output suitable for Linux and macOS\nanalysis.\n\n[![build](https://github.com/volatilityfoundation/dwarf2json/workflows/build/badge.svg)](https://github.com/volatilityfoundation/dwarf2json/actions?query=workflow%3Abuild)\n\nTo build (Go 1.18+ required):\n```\n  $ go build\n```\n\nTo run:\n```\n  $ ./dwarf2json --help\n  Usage: ./dwarf2json COMMAND\n\n  A tool for generating intermediate symbol file (ISF)\n\n  Commands:\n    linux  generate ISF for Linux analysis\n    mac    generate ISF for macOS analysis\n\n  Options:\n  -h, --help     Show this screen.\n  -v, --version  Show tool and output schema version.\n```\n\nNote: processing large DWARF files requires a minimum of 8GB RAM.\n\n# Linux Processing\n`dwarf2json` supports processing DWARF and symbol table information from ELF\nfiles and symbols from System.map input files to produce ISF for\nLinux analysis.\n\nThe user is able to select whether to include symbol, type, or both for each\ninput file.\n\n```\n  $ ./dwarf2json linux --help\n  Usage: dwarf2json linux [OPTIONS]\n\n        --elf PATH           ELF file PATH to extract symbol and type information\n        --elf-symbols PATH   ELF file PATH to extract only symbol information\n        --elf-types PATH     ELF file PATH to extract only type information\n        --system-map PATH    System.Map file PATH to extract symbol information\n```\n\nFor example, to include symbols and types for a given Linux kernel DWARF\nfile can be done with:\n```\n  $ ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-137-generic \u003e output.json\n```\n\nSymbol offsets for symbols extracted from symbol table information take\nprecedence over those extracted from DWARF information. Thus, symbols extracted\nfrom files specified with `--elf-symbols` flag take precedence over symbols\nextracted from files specified with `--elf`. Symbol offsets for symbols from\n`System.Map`, specified with `--system-map` flag, are the highest precedence. If\nthere is a conflict between the different symbol information sources, the\noffset from `System.Map` will be used.\n\nProviding multiple input files for a given flag is allowed. For example,\n`./dwarf2json --elf file1 --elf file2 ...` would process both `file1` and\n`file2`. When conflicting symbol or type information is encountered, the data\nfrom the last file specified in the command invocation would take precedence.\n\n# MacOS Processing\n`dwarf2json` supports processing DWARF and symbol table information from Mach-O\nfiles to produce ISF for macOS analysis.\n\nThe user is able to select whether to include symbol, type, or both for each\ninput file.\n\n```\n  $ ./dwarf2json mac --help\n  Usage: dwarf2json mac [OPTIONS]\n\n        --arch NAME            architecture for universal FAT files. NAME is one of {i386|x86_64}\n        --macho PATH           Mach-O file PATH to extract symbol and type information\n        --macho-symbols PATH   Mach-O file PATH to extract only symbol information\n        --macho-types PATH     Mach-O file PATH to extract only type information\n```\n\nFor example, to include symbols and types for a given macOS kernel DWARF\nfile and symbols from a macOS kernel can be done with:\n```\n  $ ./dwarf2json mac --macho /path/kernel.dSYM/Contents/Resources/DWARF/kernel \\\n    --macho-symbols /path/kernel \u003e output.json\n```\n\nSymbol offsets for symbols extracted from symbol table information take\nprecedence over those extracted from DWARF information. Thus, symbols extracted\nfrom files specified with `--macho-symbols` flag take precedence over symbols\nextracted from files specified with `--macho`.\n\n\nProviding multiple input files for a given flag is allowed. For example,\n`./dwarf2json --macho file1 --macho file2 ...` would process both `file1` and\n`file2`. When conflicting symbol or type information is encountered, the data\nfrom the last file specified in the command invocation would take precedence.\n\nWhen processing Mach-O universal FAT binaries, the `--arch` flag needs to be\nused to select the architecture for one of the embedded Mach-O files.\n\nFor example, generating ISF JSON file for i386 architecture of a OS X 10.7\nkernel debug kit can be done with:\n\n```\n  $ ./dwarf2json mac --arch i386 \\\n  --macho mach_kernel.dSYM/Contents/Resources/DWARF/mach_kernel \\\n  --macho-symbols mach_kernel \u003e mach_kernel.json\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvolatilityfoundation%2Fdwarf2json","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvolatilityfoundation%2Fdwarf2json","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvolatilityfoundation%2Fdwarf2json/lists"}