[Vol-users] Re: Bug or documentation error - linux_dump_map
Michael Hale Ligh
michael.hale at gmail.com
Thu Mar 7 10:03:09 CST 2013
You're right, it looks like there were a few different issues with that
plugin. I applied a patch  similar to yours that should make things
easier. It now accepts -p, but also takes a --dump-dir argument instead of
--outfile. You can dump all VMAs from all processes, all VMAs from a
specific process (or multiple processes with -p 1,2,3) or a specific VMA
from a specific process. The output file name includes the task ID as well
as the VMA starting address. There's a summary printed to stdout to
Task VM Start VM End Length Path
---------- ---------- ---------- ---------- ----
1 0x08048000 0x0811d000 0xd5000 dumps/task.1.0x8048000.vma
1 0x0811e000 0x08124000 0x6000 dumps/task.1.0x811e000.vma
1 0x08124000 0x08125000 0x1000 dumps/task.1.0x8124000.vma
1 0x08125000 0x081b0000 0x8b000 dumps/task.1.0x8125000.vma
1 0xb7522000 0xb752e000 0xc000 dumps/task.1.0xb7522000.vma
Can you try the patch and let me know if it works for you?
On Thu, Mar 7, 2013 at 7:06 AM, Edwin Smulders <edwin.smulders at gmail.com>wrote:
> After some more research, I think it is a bug and the attached patch
> hopefully fixes it.
> On 7 March 2013 11:35, Edwin Smulders <edwin.smulders at gmail.com> wrote:
> > Hi,
> > Yesterday during a challenge we had to use the linux_dump_map plugin
> > to dump a process stack, and the documentation at
> > says it has the -p option to select a process.
> > However, as far as I can tell looking in the svn history, this plugin
> > never had the -p option. And it's definitely not working currently.
> > I've heard a confirmation that the option was working in version
> > 2.2-rc1, so maybe it was a global option?
> > The reason I'm mailing this is because, if the -s is virtual memory,
> > would you not get possible overlap in areas? How do you know it dumped
> > the correct VMA? Note that every time I tried, I got the correct area.
> > Cheers,
> > Edwin
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users