Re: [Vol-users] Analyzing large KVM/libvrt dumps

Hi all, I wrote a little tool to convert a KVM/libvirt dump to a raw memory file (https://github.com/juergh/lqs2mem) Volatility seems to be able to handle the resulting file just fine for small dumps but not so much the larger they get. Specifically, things start to break when the memory size of the VM approaches 4 GB. I double and triple checked my code and can't find anything obviously wrong (like using a 32bit variable for a 64bit address or pointer). I also don't think that Volatility has a problem with larger dumps since it can handle a 8 GB memory dump that I obtained using some other means. I'm just running out of ideas and am looking for some help or suggestions on how to debug this further. In my testing with Win 2008 R2 SP1 x64 I found that (see full outputs below): 1) imageinfo and pslist return the correct output for VMs with less than 3588 MB 2) pslist only returns a single task (System) for VMs larger than 3587 MB 3) imageinfo shows only 1 processor (when there are actually two) for VMs larger than 3712 MB (give or take) Any help is greatly appreciated. Thanks ...Juerg VM memory size: 3584 MB: Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/var/lib/libvirt/qemu/save/win-3584.ram) PAE type : PAE DTB : 0x187000L KDBG : 0xf800017fb0a0 Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff800017fcd00L KPCR for CPU 1 : 0xfffff880009b8000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-07-16 12:24:50 UTC+0000 Image local date and time : 2013-07-16 12:24:50 +0000 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa8002a7cb30 System 4 0 70 396 ------ 0 2013-07-16 12:24:33 UTC+0000 0xfffffa80030f09d0 smss.exe 220 4 4 31 ------ 0 2013-07-16 12:24:33 UTC+0000 0xfffffa80034574d0 csrss.exe 300 292 9 339 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003465b30 wininit.exe 352 292 7 93 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003469b30 csrss.exe 368 344 8 76 1 0 2013-07-16 12:24:34 UTC+0000 0xfffffa800349c280 winlogon.exe 412 344 5 83 1 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80034a7160 services.exe 448 352 17 215 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80034b4b30 lsass.exe 464 352 9 458 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80034b64f0 lsm.exe 472 352 12 194 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa800350cb30 svchost.exe 584 448 17 355 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003522060 svchost.exe 664 448 13 221 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003547060 svchost.exe 724 448 16 312 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003552b30 LogonUI.exe 744 412 8 157 1 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003572b30 svchost.exe 812 448 43 782 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa8003594b30 svchost.exe 856 448 14 234 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa800359b9b0 svchost.exe 900 448 8 128 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80035b3060 svchost.exe 940 448 19 361 0 0 2013-07-16 12:24:34 UTC+0000 0xfffffa80035fcb30 svchost.exe 372 448 16 259 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa80035f6b30 spoolsv.exe 1048 448 8 89 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa8003679650 blnsvr.exe 1076 448 7 100 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa80035e5450 svchost.exe 1116 448 4 50 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa8003732b30 WmiPrvSE.exe 1364 584 15 294 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa8003767250 svchost.exe 1484 448 12 241 0 0 2013-07-16 12:24:35 UTC+0000 0xfffffa80037df620 WmiApSrv.exe 1684 448 7 112 0 0 2013-07-16 12:24:36 UTC+0000 0xfffffa80037a56c0 WmiPrvSE.exe 1716 584 7 105 0 0 2013-07-16 12:24:36 UTC+0000 0xfffffa8003763270 WmiPrvSE.exe 1764 584 7 175 0 0 2013-07-16 12:24:38 UTC+0000 VM memory size: 3588 MB Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/var/lib/libvirt/qemu/save/win-3588.ram) PAE type : PAE DTB : 0x187000L KDBG : 0xf8000180e0a0 Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff8000180fd00L KPCR for CPU 1 : 0xfffff880009b8000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-07-16 12:50:59 UTC+0000 Image local date and time : 2013-07-16 12:50:59 +0000 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa800308d9e0 System 4 0 68 275 ------ 0 2013-07-16 12:50:55 UTC+0000 VM memory size: 3840 MB Determining profile based on KDBG search... Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 AS Layer1 : AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/var/lib/libvirt/qemu/save/win-3840.ram) PAE type : PAE DTB : 0x187000L KDBG : 0xf800018400a0 Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80001841d00L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2013-07-16 12:28:55 UTC+0000 Image local date and time : 2013-07-16 12:28:55 +0000 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa80033849e0 System 4 0 72 -------- ------ 0 2013-07-16 12:28:47 UTC+0000 _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users