Re: [Vol-users] Volatility-Linux TypeError

Hello, I've done this with my System.map. This is what happens: dark-eye@Ragana:~/Sources/volatility_linux64$ unzip -p debian_squeeze.zip boot/System.map-2.6.32-5-686 | grep init_task c1083b60 T perf_event_init_task c1336980 r __ksymtab_init_task c133eef0 r __kcrctab_init_task c13431a8 r __kstrtab_init_task c1388ba0 D init_task c14322d8 B init_task_group Because I'm not really sure how to translate those virtual addresses to the offsets of the memory dump, I used volatilitux to evaluate the virtual addresses. dark-eye@Ragana:~/Sources/volatilitux$ python volatilitux.py -f /home/dark-eye/Desktop/LF32.ram -d pslist swapper comm found at 012f4e84 swapper comm found at 01388dc4 init comm found at 1f82c0f0 confirmed: swapper comm found with init's prev potential offset_parents: 312, 316 swapper_addr = 01388ba0, init_addr = 1f82c000 offset_comm = 548, offset_tasks = 240, offset_parent = 316 potential_offset_pid = 300 offset_mm = 268 offset_vmfile = 72 offset_fdentry = 12, offset_qstr = 32 offset_pgd = 36 arch = x86 Address Name PID PPID mm c1388ba0 swapper 0 0 00000000 df82c000 init 1 0 d792a380 (pgd=df8b4000) df82c440 kthreadd 2 0 00000000 So I think the c1388ba0 address is correct for the swapper not the init_task. Is this assumption right? I checked if I maybe mixed up something while dumping the memory, but can't figure out what it could be. Do you have any further ideas? Greetings Patrick