[Vol-users] Incorrect addresses in linux_proc_maps

Michael Hale Ligh michael.hale at gmail.com
Fri Mar 1 10:29:05 CST 2013


Ah, this has to do with the fact that a long and unsigned long on x86 Linux
is actually 8 bytes (instead of 4 like on Windows).

We'll take a look at changing the formatting specification to account for
this difference in sizes, and if it can't be done easily before the 2.3
release, then we'll revert the patch in r3090 to re-incorporate
mask_number.

Please still send the output of /proc/<pid>/maps just so we know how it
looks for the future.
MHL


On Fri, Mar 1, 2013 at 10:53 AM, Michael Hale Ligh
<michael.hale at gmail.com>wrote:

> Thanks for reporting. We just recently removed the mask_number function (
> http://code.google.com/p/volatility/source/detail?r=3090) because
> vm_start and vm_end are already unsigned (so you shouldn't see negative
> numbers in output).
>
> I'm guessing this may be a problem with our output formatting, but we'll
> look into it (the output of /proc/<pid>/maps like Andrew asked for would
> be useful).
>
>
> On Fri, Mar 1, 2013 at 10:47 AM, Andrew Case <atcuno at gmail.com> wrote:
>
>> Can you send the output of /proc/<pid>/maps that corresponds to one of
>> the processes with the broken plugin output?
>>
>> On Fri, Mar 1, 2013 at 6:52 AM, Edwin Smulders <edwin.smulders at gmail.com>
>> wrote:
>> > Hi all,
>> >
>> > I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've
>> > dumped the memory using virtualbox guestcoredump.
>> > Using the linux_proc_maps plugin I get the following output:
>> >
>> > http://paste.ubuntu.com/5576450/
>> >
>> > I was expecting similar output to "cat /proc/<pid>/maps". As you can
>> > see, these "-0x4...000" addresses are obviously wrong. Is this I am
>> > doing wrong myself, or is this a bug? It happens for other processes
>> > as well.
>> >
>> > If this is a bug I'll make a new issue in the tracker with the steps
>> > I've followed to produce this.
>> >
>> > Cheers,
>> > Edwin
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users at volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130301/a7daae28/attachment.html


More information about the Vol-users mailing list