[Vol-users] Incorrect addresses in linux_proc_maps

Michael Hale Ligh michael.hale at gmail.com
Fri Mar 1 09:53:04 CST 2013


Thanks for reporting. We just recently removed the mask_number function (
http://code.google.com/p/volatility/source/detail?r=3090) because vm_start
and vm_end are already unsigned (so you shouldn't see negative numbers in
output).

I'm guessing this may be a problem with our output formatting, but we'll
look into it (the output of /proc/<pid>/maps like Andrew asked for would be
useful).


On Fri, Mar 1, 2013 at 10:47 AM, Andrew Case <atcuno at gmail.com> wrote:

> Can you send the output of /proc/<pid>/maps that corresponds to one of
> the processes with the broken plugin output?
>
> On Fri, Mar 1, 2013 at 6:52 AM, Edwin Smulders <edwin.smulders at gmail.com>
> wrote:
> > Hi all,
> >
> > I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've
> > dumped the memory using virtualbox guestcoredump.
> > Using the linux_proc_maps plugin I get the following output:
> >
> > http://paste.ubuntu.com/5576450/
> >
> > I was expecting similar output to "cat /proc/<pid>/maps". As you can
> > see, these "-0x4...000" addresses are obviously wrong. Is this I am
> > doing wrong myself, or is this a bug? It happens for other processes
> > as well.
> >
> > If this is a bug I'll make a new issue in the tracker with the steps
> > I've followed to produce this.
> >
> > Cheers,
> > Edwin
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130301/545724d3/attachment.html


More information about the Vol-users mailing list