[Vol-users] stack & heap

Andrew Case atcuno at gmail.com
Tue Oct 1 16:42:02 CDT 2013


This will be interesting to debug as Python should not segfault and
cannot from normal user interactions so it has to be a bug within the
C code (somewhere).

Could you start by taking a normal memory sample of your guest VM
using lime, running Volatility against it, and sending us the output/
results? This will help us figure out if it something with libvmi

On Tue, Oct 1, 2013 at 2:12 AM, Sebastian Biedermann
<biedermann at seceng.informatik.tu-darmstadt.de> wrote:
> Hi, My setup is an Ubuntu 12.04 with Kernel 3.8.0-30-generic (x86_64).
> I use Volatility 2.3b and the VMI-Tools to investigate a running Xen
> (HVM) guest domain.
>
> The guest domain runs Ubuntu 10.04.4 with Kernel 2.6.32-51-generic (x86_64).
>
> I built a profile and the command linux_pslist works fine and shows
> me each running process (several other commands work as well),
> but the command:
>
> # python vol.py -l vmi://guestVM --profile=Linux2_6_32-51-amd64x64
> linux_proc_maps -p 9615
> Volatile Systems Volatility Framework 2.3_beta
> Pid      Start              End                Flags               Pgoff
> Major  Minor  Inode      File Path
> -------- ------------------ ------------------ ------ ------------------
> ------ ------ ---------- ------------------
> segmentation fault (core dumped)
>
> results in a segmentation fault...
>
> I tried a lot of other Kernels in the guest domain, but each time I had
> the same results.
> Probably, it's not working because I use the VMI tools on a running VM?
> Is there an explanation for that or a way how I could fix this?
>
> Thank you!
>
>
> Am 01.10.2013 03:03, schrieb Andrew Case:
>> Can you please send the full command line input and output related to
>> your issue?
>>
>> Also:
>> -  the kernel/distro that the sample was taken from
>> - what acquisition tool was used
>> - what version of Volatility you are using.
>>
>> This will greatly help us diagnose the issue.
>>
>> Thanks,
>> Andrew (@attrc)
>>
>> On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
>> <biedermann at seceng.informatik.tu-darmstadt.de> wrote:
>>> Hi guys,
>>>
>>> I'm trying to find out the addresses of the memory pages of a target process
>>> that are used as stack and heap on Linux.
>>> (Precisely, I would like to have the output which can be seen in
>>> /proc/<pid>/maps for a target process)
>>>
>>> Unfortunately, the command linux_proc_maps is not working, I always get a
>>> segmentation fault,
>>> although I tried different kernels as well as Linux setups (Ubuntu) - it's
>>> just not working.
>>>
>>> Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
>>> command works?
>>> Or give me a hint how I could figure out these addresses on another way?
>>>
>>> Thank you!
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list