Hello everyone,

 

I apologize if this is not correctly described, but I have been trying to read Para-virtualized (PV) core dump files from a Xen Hypervisor. Now, I have managed to read the core dump when the VM is in HVM mode and read pfn values of a Ubuntu system with this external GitHub project (address space from Xenelf.py file): https://github.com/banne01/xen-core-velocity (after modifying line 126 to show elf_hdr instead of elf64_hdr to solve a weird error message).

 

However, I cannot seem to figure out how the p2m values are properly read from a PV SUSE Linux Enterprise Server VM. There is a pfn value and a gmfn value in the p2m array of values which I cannot seem to read and interpret properly even if I specifically tell volatility to focus on just the pfn values. In addition, Volatility succeeds in instancing the address space for the SLES coredump but it still errors out after all the other address spaces have been exhausted.

 

If anyone has any feedback or ways to point me in the right direction, could you let me know?

 

Thanks, and best regards.

 

Michael Seborowski