Re: [Vol-users] Incorrect addresses in linux_proc_maps
1 Mar
2013
1 Mar
'13
12:01 p.m.
Thanks for the quick response.
Sadly, I can't access my VMs at home, so I'll send the
/proc/<pid>/maps first thing in the morning on monday.
Cheers,
Edwin
On 1 March 2013 17:29, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
Ah, this has to do with the fact that a long and
unsigned long on x86 Linux
is actually 8 bytes (instead of 4 like on Windows).
We'll take a look at changing the formatting specification to account for
this difference in sizes, and if it can't be done easily before the 2.3
release, then we'll revert the patch in r3090 to re-incorporate mask_number.
Please still send the output of /proc/<pid>/maps just so we know how it
looks for the future.
MHL
On Fri, Mar 1, 2013 at 10:53 AM, Michael Hale Ligh <michael.hale(a)gmail.com>
wrote:
Thanks for reporting. We just recently removed the mask_number function
(http://code.google.com/p/volatility/source/detail?r=3090) because vm_start
and vm_end are already unsigned (so you shouldn't see negative numbers in
output).
I'm guessing this may be a problem with our output formatting, but we'll
look into it (the output of /proc/<pid>/maps like Andrew asked for would be
useful).
On Fri, Mar 1, 2013 at 10:47 AM, Andrew Case <atcuno(a)gmail.com> wrote:
Can you send the output of /proc/<pid>/maps that corresponds to one of
the processes with the broken plugin output?
On Fri, Mar 1, 2013 at 6:52 AM, Edwin Smulders <edwin.smulders(a)gmail.com>
wrote:
Hi all,
I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've
dumped the memory using virtualbox guestcoredump.
Using the linux_proc_maps plugin I get the following output:
http://paste.ubuntu.com/5576450/
I was expecting similar output to "cat /proc/<pid>/maps". As you can
see, these "-0x4...000" addresses are obviously wrong. Is this I am
doing wrong myself, or is this a bug? It happens for other processes
as well.
If this is a bug I'll make a new issue in the tracker with the steps
I've followed to produce this.
Cheers,
Edwin
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users