Re: [Vol-users] stack & heap
1 Oct
2013
1 Oct
'13
5:42 p.m.
This will be interesting to debug as Python should not segfault and
cannot from normal user interactions so it has to be a bug within the
C code (somewhere).
Could you start by taking a normal memory sample of your guest VM
using lime, running Volatility against it, and sending us the output/
results? This will help us figure out if it something with libvmi
On Tue, Oct 1, 2013 at 2:12 AM, Sebastian Biedermann
<biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
Hi, My setup is an Ubuntu 12.04 with Kernel
3.8.0-30-generic (x86_64).
I use Volatility 2.3b and the VMI-Tools to investigate a running Xen
(HVM) guest domain.
The guest domain runs Ubuntu 10.04.4 with Kernel 2.6.32-51-generic (x86_64).
I built a profile and the command linux_pslist works fine and shows
me each running process (several other commands work as well),
but the command:
# python vol.py -l vmi://guestVM --profile=Linux2_6_32-51-amd64x64
linux_proc_maps -p 9615
Volatile Systems Volatility Framework 2.3_beta
Pid Start End Flags Pgoff
Major Minor Inode File Path
-------- ------------------ ------------------ ------ ------------------
------ ------ ---------- ------------------
segmentation fault (core dumped)
results in a segmentation fault...
I tried a lot of other Kernels in the guest domain, but each time I had
the same results.
Probably, it's not working because I use the VMI tools on a running VM?
Is there an explanation for that or a way how I could fix this?
Thank you!
Am 01.10.2013 03:03, schrieb Andrew Case:
> Can you please send the full command line input and output related to
> your issue?
>
> Also:
> - the kernel/distro that the sample was taken from
> - what acquisition tool was used
> - what version of Volatility you are using.
>
> This will greatly help us diagnose the issue.
>
> Thanks,
> Andrew (@attrc)
>
> On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
> <biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
>> Hi guys,
>>
>> I'm trying to find out the addresses of the memory pages of a target process
>> that are used as stack and heap on Linux.
>> (Precisely, I would like to have the output which can be seen in
>> /proc/<pid>/maps for a target process)
>>
>> Unfortunately, the command linux_proc_maps is not working, I always get a
>> segmentation fault,
>> although I tried different kernels as well as Linux setups (Ubuntu) - it's
>> just not working.
>>
>> Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
>> command works?
>> Or give me a hint how I could figure out these addresses on another way?
>>
>> Thank you!
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users