[Vol-users] Incorrect addresses in linux_proc_maps

Edwin Smulders edwin.smulders at gmail.com
Fri Mar 1 11:01:11 CST 2013


Thanks for the quick response.
Sadly, I can't access my VMs at home, so I'll send the
/proc/<pid>/maps first thing in the morning on monday.

Cheers,
Edwin

On 1 March 2013 17:29, Michael Hale Ligh <michael.hale at gmail.com> wrote:
> Ah, this has to do with the fact that a long and unsigned long on x86 Linux
> is actually 8 bytes (instead of 4 like on Windows).
>
> We'll take a look at changing the formatting specification to account for
> this difference in sizes, and if it can't be done easily before the 2.3
> release, then we'll revert the patch in r3090 to re-incorporate mask_number.
>
> Please still send the output of /proc/<pid>/maps just so we know how it
> looks for the future.
> MHL
>
>
> On Fri, Mar 1, 2013 at 10:53 AM, Michael Hale Ligh <michael.hale at gmail.com>
> wrote:
>>
>> Thanks for reporting. We just recently removed the mask_number function
>> (http://code.google.com/p/volatility/source/detail?r=3090) because vm_start
>> and vm_end are already unsigned (so you shouldn't see negative numbers in
>> output).
>>
>> I'm guessing this may be a problem with our output formatting, but we'll
>> look into it (the output of /proc/<pid>/maps like Andrew asked for would be
>> useful).
>>
>>
>> On Fri, Mar 1, 2013 at 10:47 AM, Andrew Case <atcuno at gmail.com> wrote:
>>>
>>> Can you send the output of /proc/<pid>/maps that corresponds to one of
>>> the processes with the broken plugin output?
>>>
>>> On Fri, Mar 1, 2013 at 6:52 AM, Edwin Smulders <edwin.smulders at gmail.com>
>>> wrote:
>>> > Hi all,
>>> >
>>> > I've just created a profile for my Ubuntu 12.04 (3.5.0-25) and I've
>>> > dumped the memory using virtualbox guestcoredump.
>>> > Using the linux_proc_maps plugin I get the following output:
>>> >
>>> > http://paste.ubuntu.com/5576450/
>>> >
>>> > I was expecting similar output to "cat /proc/<pid>/maps". As you can
>>> > see, these "-0x4...000" addresses are obviously wrong. Is this I am
>>> > doing wrong myself, or is this a bug? It happens for other processes
>>> > as well.
>>> >
>>> > If this is a bug I'll make a new issue in the tracker with the steps
>>> > I've followed to produce this.
>>> >
>>> > Cheers,
>>> > Edwin
>>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users at volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>


More information about the Vol-users mailing list