[Vol-users] stack & heap

Sebastian Biedermann biedermann at seceng.informatik.tu-darmstadt.de
Tue Oct 1 02:12:24 CDT 2013


Hi, My setup is an Ubuntu 12.04 with Kernel 3.8.0-30-generic (x86_64).
I use Volatility 2.3b and the VMI-Tools to investigate a running Xen
(HVM) guest domain.

The guest domain runs Ubuntu 10.04.4 with Kernel 2.6.32-51-generic (x86_64).

I built a profile and the command linux_pslist works fine and shows
me each running process (several other commands work as well),
but the command:

# python vol.py -l vmi://guestVM --profile=Linux2_6_32-51-amd64x64
linux_proc_maps -p 9615
Volatile Systems Volatility Framework 2.3_beta
Pid      Start              End                Flags               Pgoff
Major  Minor  Inode      File Path
-------- ------------------ ------------------ ------ ------------------
------ ------ ---------- ------------------
segmentation fault (core dumped)

results in a segmentation fault...

I tried a lot of other Kernels in the guest domain, but each time I had
the same results.
Probably, it's not working because I use the VMI tools on a running VM?
Is there an explanation for that or a way how I could fix this?

Thank you!


Am 01.10.2013 03:03, schrieb Andrew Case:
> Can you please send the full command line input and output related to
> your issue?
>
> Also:
> -  the kernel/distro that the sample was taken from
> - what acquisition tool was used
> - what version of Volatility you are using.
>
> This will greatly help us diagnose the issue.
>
> Thanks,
> Andrew (@attrc)
>
> On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
> <biedermann at seceng.informatik.tu-darmstadt.de> wrote:
>> Hi guys,
>>
>> I'm trying to find out the addresses of the memory pages of a target process
>> that are used as stack and heap on Linux.
>> (Precisely, I would like to have the output which can be seen in
>> /proc/<pid>/maps for a target process)
>>
>> Unfortunately, the command linux_proc_maps is not working, I always get a
>> segmentation fault,
>> although I tried different kernels as well as Linux setups (Ubuntu) - it's
>> just not working.
>>
>> Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
>> command works?
>> Or give me a hint how I could figure out these addresses on another way?
>>
>> Thank you!
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list