Re: [Vol-users] Incorrect addresses in linux_proc_maps
21 Mar
2013
21 Mar
'13
8:29 a.m.
I'd like to expand a bit more on this issue. I don't think it's just a
formatting issue, now that I'm actually using this to develop my own
plugin I noticed that the values I get from the task.mm.start_stack,
task.mm.arg_start and several other values are actually negative
numbers. task.mm.start_brk/task.mm.brk seem to be ok, not sure why.
On 4 March 2013 10:02, Edwin Smulders <edwin.smulders(a)gmail.com> wrote:
Here's /proc/1264/maps
http://paste.ubuntu.com/5584610/
On 1 March 2013 18:01, Edwin Smulders <edwin.smulders(a)gmail.com> wrote:
> Thanks for the quick response.
> Sadly, I can't access my VMs at home, so I'll send the
> /proc/<pid>/maps first thing in the morning on monday.
>
> Cheers,
> Edwin
>
> On 1 March 2013 17:29, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
>> Ah, this has to do with the fact that a long and unsigned long on x86 Linux
>> is actually 8 bytes (instead of 4 like on Windows).
>>
>> We'll take a look at changing the formatting specification to account for
>> this difference in sizes, and if it can't be done easily before the 2.3
>> release, then we'll revert the patch in r3090 to re-incorporate mask_number.
>>
>> Please still send the output of /proc/<pid>/maps just so we know how it
>> looks for the future.
>> MHL
>>
>>
>> On Fri, Mar 1, 2013 at 10:53 AM, Michael Hale Ligh
<michael.hale(a)gmail.com>
>> wrote:
>>>
>>> Thanks for reporting. We just recently removed the mask_number function
>>> (http://code.google.com/p/volatility/source/detail?r=3090) because vm_start
>>> and vm_end are already unsigned (so you shouldn't see negative numbers
in
>>> output).
>>>
>>> I'm guessing this may be a problem with our output formatting, but
we'll
>>> look into it (the output of /proc/<pid>/maps like Andrew asked for
would be
>>> useful).
>>>
>>>
>>> On Fri, Mar 1, 2013 at 10:47 AM, Andrew Case <atcuno(a)gmail.com> wrote:
>>>>
>>>> Can you send the output of /proc/<pid>/maps that corresponds to one
of
>>>> the processes with the broken plugin output?
>>>>
>>>> On Fri, Mar 1, 2013 at 6:52 AM, Edwin Smulders
<edwin.smulders(a)gmail.com>
>>>> wrote:
>>>> > Hi all,
>>>> >
>>>> > I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and
I've
>>>> > dumped the memory using virtualbox guestcoredump.
>>>> > Using the linux_proc_maps plugin I get the following output:
>>>> >
>>>> > http://paste.ubuntu.com/5576450/
>>>> >
>>>> > I was expecting similar output to "cat
/proc/<pid>/maps". As you can
>>>> > see, these "-0x4...000" addresses are obviously wrong. Is
this I am
>>>> > doing wrong myself, or is this a bug? It happens for other
processes
>>>> > as well.
>>>> >
>>>> > If this is a bug I'll make a new issue in the tracker with the
steps
>>>> > I've followed to produce this.
>>>> >
>>>> > Cheers,
>>>> > Edwin
>>>> > _______________________________________________
>>>> > Vol-users mailing list
>>>> > Vol-users(a)volatilityfoundation.org
>>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users(a)volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>>