5:05 p.m.
Hi guys,
I'm trying to find out the addresses of the memory pages of a target
process that are used as stack and heap on Linux.
(Precisely, I would like to have the output which can be seen in
/proc/<pid>/maps for a target process)
Unfortunately, the command linux_proc_maps is not working, I always get
a segmentation fault,
although I tried different kernels as well as Linux setups (Ubuntu) -
it's just not working.
Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
command works?
Or give me a hint how I could figure out these addresses on another way?
Thank you!
8:49 p.m.
Sebastian,
This is the first we've heard of linux_proc_maps causing a segfault. It has
worked fine across various kernels on Debian, Ubuntu, SuSE, CentOS, Fedora.
There are some Linux profiles available here:
https://code.google.com/p/volatility/wiki/LinuxProfiles
And some Linux samples linked to from here:
https://code.google.com/p/volatility/wiki/SampleMemoryImages
In particular, there is a DFRWS 2008 memory sample for Linux and you'll
find the CentOS profile on the profile page. Its a bit difficult to
remotely debug a segfault, but if you find out any more details about the
issue, feel free to report them.
Thanks,
MHL
On Thu, Sep 26, 2013 at 5:05 PM, Sebastian Biedermann <
biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
Hi guys,
I'm trying to find out the addresses of the memory pages of a target
process that are used as stack and heap on Linux.
(Precisely, I would like to have the output which can be seen in
/proc/<pid>/maps for a target process)
Unfortunately, the command linux_proc_maps is not working, I always get a
segmentation fault,
although I tried different kernels as well as Linux setups (Ubuntu) - it's
just not working.
Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
command works?
Or give me a hint how I could figure out these addresses on another way?
Thank you!
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
9:03 p.m.
Can you please send the full command line input and output related to
your issue?
Also:
- the kernel/distro that the sample was taken from
- what acquisition tool was used
- what version of Volatility you are using.
This will greatly help us diagnose the issue.
Thanks,
Andrew (@attrc)
On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
<biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
Hi guys,
I'm trying to find out the addresses of the memory pages of a target process
that are used as stack and heap on Linux.
(Precisely, I would like to have the output which can be seen in
/proc/<pid>/maps for a target process)
Unfortunately, the command linux_proc_maps is not working, I always get a
segmentation fault,
although I tried different kernels as well as Linux setups (Ubuntu) - it's
just not working.
Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
command works?
Or give me a hint how I could figure out these addresses on another way?
Thank you!
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3:12 a.m.
Hi, My setup is an Ubuntu 12.04 with Kernel 3.8.0-30-generic (x86_64).
I use Volatility 2.3b and the VMI-Tools to investigate a running Xen
(HVM) guest domain.
The guest domain runs Ubuntu 10.04.4 with Kernel 2.6.32-51-generic (x86_64).
I built a profile and the command linux_pslist works fine and shows
me each running process (several other commands work as well),
but the command:
# python vol.py -l vmi://guestVM --profile=Linux2_6_32-51-amd64x64
linux_proc_maps -p 9615
Volatile Systems Volatility Framework 2.3_beta
Pid Start End Flags Pgoff
Major Minor Inode File Path
-------- ------------------ ------------------ ------ ------------------
------ ------ ---------- ------------------
segmentation fault (core dumped)
results in a segmentation fault...
I tried a lot of other Kernels in the guest domain, but each time I had
the same results.
Probably, it's not working because I use the VMI tools on a running VM?
Is there an explanation for that or a way how I could fix this?
Thank you!
Am 01.10.2013 03:03, schrieb Andrew Case:
Can you please send the full command line input and
output related to
your issue?
Also:
- the kernel/distro that the sample was taken from
- what acquisition tool was used
- what version of Volatility you are using.
This will greatly help us diagnose the issue.
Thanks,
Andrew (@attrc)
On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
<biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
> Hi guys,
>
> I'm trying to find out the addresses of the memory pages of a target process
> that are used as stack and heap on Linux.
> (Precisely, I would like to have the output which can be seen in
> /proc/<pid>/maps for a target process)
>
> Unfortunately, the command linux_proc_maps is not working, I always get a
> segmentation fault,
> although I tried different kernels as well as Linux setups (Ubuntu) - it's
> just not working.
>
> Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
> command works?
> Or give me a hint how I could figure out these addresses on another way?
>
> Thank you!
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:42 p.m.
This will be interesting to debug as Python should not segfault and
cannot from normal user interactions so it has to be a bug within the
C code (somewhere).
Could you start by taking a normal memory sample of your guest VM
using lime, running Volatility against it, and sending us the output/
results? This will help us figure out if it something with libvmi
On Tue, Oct 1, 2013 at 2:12 AM, Sebastian Biedermann
<biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
Hi, My setup is an Ubuntu 12.04 with Kernel
3.8.0-30-generic (x86_64).
I use Volatility 2.3b and the VMI-Tools to investigate a running Xen
(HVM) guest domain.
The guest domain runs Ubuntu 10.04.4 with Kernel 2.6.32-51-generic (x86_64).
I built a profile and the command linux_pslist works fine and shows
me each running process (several other commands work as well),
but the command:
# python vol.py -l vmi://guestVM --profile=Linux2_6_32-51-amd64x64
linux_proc_maps -p 9615
Volatile Systems Volatility Framework 2.3_beta
Pid Start End Flags Pgoff
Major Minor Inode File Path
-------- ------------------ ------------------ ------ ------------------
------ ------ ---------- ------------------
segmentation fault (core dumped)
results in a segmentation fault...
I tried a lot of other Kernels in the guest domain, but each time I had
the same results.
Probably, it's not working because I use the VMI tools on a running VM?
Is there an explanation for that or a way how I could fix this?
Thank you!
Am 01.10.2013 03:03, schrieb Andrew Case:
> Can you please send the full command line input and output related to
> your issue?
>
> Also:
> - the kernel/distro that the sample was taken from
> - what acquisition tool was used
> - what version of Volatility you are using.
>
> This will greatly help us diagnose the issue.
>
> Thanks,
> Andrew (@attrc)
>
> On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
> <biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
>> Hi guys,
>>
>> I'm trying to find out the addresses of the memory pages of a target process
>> that are used as stack and heap on Linux.
>> (Precisely, I would like to have the output which can be seen in
>> /proc/<pid>/maps for a target process)
>>
>> Unfortunately, the command linux_proc_maps is not working, I always get a
>> segmentation fault,
>> although I tried different kernels as well as Linux setups (Ubuntu) - it's
>> just not working.
>>
>> Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
>> command works?
>> Or give me a hint how I could figure out these addresses on another way?
>>
>> Thank you!
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3 a.m.
If I create a snapshot (live or normal mode) of my VM in Xen (xm dump-core),
I cannot run any volatility commands:
# python vol.py -f ../71.dmp --profile=Linux2_6_32-51-amd64x64 linux_pslist
Volatile Systems Volatility Framework 2.3_beta
Offset Name Pid Uid
Gid DTB Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid course
pde2_value 6d6f6320
I expected that since I guess that Xen does its own way of snapshots.
If I create a memory dump of my VM using the libvmi tools (dump-core),
each Volatility command on this dump (including the linux_proc_maps)
works perfect.
The linux_proc_maps command is just not working live on a running VM,
so I would assume it's a problem of libvmi.
Thank you!
Am 01.10.2013 23:42, schrieb Andrew Case:
This will be interesting to debug as Python should not
segfault and
cannot from normal user interactions so it has to be a bug within the
C code (somewhere).
Could you start by taking a normal memory sample of your guest VM
using lime, running Volatility against it, and sending us the output/
results? This will help us figure out if it something with libvmi
On Tue, Oct 1, 2013 at 2:12 AM, Sebastian Biedermann
<biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
> Hi, My setup is an Ubuntu 12.04 with Kernel 3.8.0-30-generic (x86_64).
> I use Volatility 2.3b and the VMI-Tools to investigate a running Xen
> (HVM) guest domain.
>
> The guest domain runs Ubuntu 10.04.4 with Kernel 2.6.32-51-generic (x86_64).
>
> I built a profile and the command linux_pslist works fine and shows
> me each running process (several other commands work as well),
> but the command:
>
> # python vol.py -l vmi://guestVM --profile=Linux2_6_32-51-amd64x64
> linux_proc_maps -p 9615
> Volatile Systems Volatility Framework 2.3_beta
> Pid Start End Flags Pgoff
> Major Minor Inode File Path
> -------- ------------------ ------------------ ------ ------------------
> ------ ------ ---------- ------------------
> segmentation fault (core dumped)
>
> results in a segmentation fault...
>
> I tried a lot of other Kernels in the guest domain, but each time I had
> the same results.
> Probably, it's not working because I use the VMI tools on a running VM?
> Is there an explanation for that or a way how I could fix this?
>
> Thank you!
>
>
> Am 01.10.2013 03:03, schrieb Andrew Case:
>> Can you please send the full command line input and output related to
>> your issue?
>>
>> Also:
>> - the kernel/distro that the sample was taken from
>> - what acquisition tool was used
>> - what version of Volatility you are using.
>>
>> This will greatly help us diagnose the issue.
>>
>> Thanks,
>> Andrew (@attrc)
>>
>> On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
>> <biedermann(a)seceng.informatik.tu-darmstadt.de> wrote:
>>> Hi guys,
>>>
>>> I'm trying to find out the addresses of the memory pages of a target
process
>>> that are used as stack and heap on Linux.
>>> (Precisely, I would like to have the output which can be seen in
>>> /proc/<pid>/maps for a target process)
>>>
>>> Unfortunately, the command linux_proc_maps is not working, I always get a
>>> segmentation fault,
>>> although I tried different kernels as well as Linux setups (Ubuntu) -
it's
>>> just not working.
>>>
>>> Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
>>> command works?
>>> Or give me a hint how I could figure out these addresses on another way?
>>>
>>> Thank you!
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Sebastian Biedermann
Security Engineering Group
Technische Universität Darmstadt
biedermann(a)seceng.informatik.tu-darmstadt.de
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed. If you have received this email
in error please notify the sender.
4061
days inactive
4067
days old
vol-users@lists.volatilityfoundation.org
5 comments
3 participants
participants (3)
-
Andrew Case -
Michael Hale Ligh -
Sebastian Biedermann