[Vol-users] Volatility-Linux TypeError

Patrick Burkard pbuml at gmx.de
Tue Jan 31 09:56:35 CST 2012


>    The backtrace you got was because the init_task was not found or
> had an invalid address. Can you please check that there is such a
> symbol on your System.map. For example:
> ~/projects/volatility(scudette_playground)$ unzip -p system.zip
> boot/System.map-3.0.0-12-server | grep init_task
> [SNIP]

I've done this with my System.map. This is what happens:
dark-eye at Ragana:~/Sources/volatility_linux64$ unzip -p
debian_squeeze.zip boot/System.map-2.6.32-5-686 | grep init_task
c1083b60 T perf_event_init_task c1336980 r __ksymtab_init_task
c133eef0 r __kcrctab_init_task
c13431a8 r __kstrtab_init_task
c1388ba0 D init_task
c14322d8 B init_task_group

Because I'm not really sure how to translate those virtual addresses to
the offsets of the memory dump, I used volatilitux to evaluate the
virtual addresses.

dark-eye at Ragana:~/Sources/volatilitux$ python volatilitux.py
-f /home/dark-eye/Desktop/LF32.ram -d pslist
swapper comm found at 012f4e84
swapper comm found at 01388dc4
init comm found at 1f82c0f0
confirmed: swapper comm found with init's prev
potential offset_parents: 312, 316
swapper_addr = 01388ba0, init_addr = 1f82c000
offset_comm = 548, offset_tasks = 240, offset_parent = 316
potential_offset_pid = 300
offset_mm = 268
offset_vmfile = 72
offset_fdentry = 12, offset_qstr = 32
offset_pgd = 36
arch = x86
Address       Name                PID       PPID      mm
c1388ba0      swapper             0         0         00000000
df82c000      init                1         0         d792a380
df82c440      kthreadd            2         0

So I think the c1388ba0 address is correct for the swapper not the
init_task. Is this assumption right?

I checked if I maybe mixed up something while dumping the memory, but
can't figure out what it could be. Do you have any further ideas?


More information about the Vol-users mailing list