[Vol-users] stack & heap

Sebastian Biedermann biedermann at seceng.informatik.tu-darmstadt.de
Wed Oct 2 02:00:42 CDT 2013

If I create a snapshot (live or normal mode) of my VM in Xen (xm dump-core),
I cannot run any volatility commands:

# python vol.py -f ../71.dmp --profile=Linux2_6_32-51-amd64x64 linux_pslist
Volatile Systems Volatility Framework 2.3_beta
Offset             Name                 Pid             Uid            
Gid    DTB                Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid course
pde2_value 6d6f6320

I expected that since I guess that Xen does its own way of snapshots.

If I create a memory dump of my VM using the libvmi tools (dump-core),
each Volatility command on this dump (including the linux_proc_maps)
works perfect.

The linux_proc_maps command is just not working live on a running VM,
so I would assume it's a problem of libvmi.

Thank you!

Am 01.10.2013 23:42, schrieb Andrew Case:
> This will be interesting to debug as Python should not segfault and
> cannot from normal user interactions so it has to be a bug within the
> C code (somewhere).
> Could you start by taking a normal memory sample of your guest VM
> using lime, running Volatility against it, and sending us the output/
> results? This will help us figure out if it something with libvmi
> On Tue, Oct 1, 2013 at 2:12 AM, Sebastian Biedermann
> <biedermann at seceng.informatik.tu-darmstadt.de> wrote:
>> Hi, My setup is an Ubuntu 12.04 with Kernel 3.8.0-30-generic (x86_64).
>> I use Volatility 2.3b and the VMI-Tools to investigate a running Xen
>> (HVM) guest domain.
>> The guest domain runs Ubuntu 10.04.4 with Kernel 2.6.32-51-generic (x86_64).
>> I built a profile and the command linux_pslist works fine and shows
>> me each running process (several other commands work as well),
>> but the command:
>> # python vol.py -l vmi://guestVM --profile=Linux2_6_32-51-amd64x64
>> linux_proc_maps -p 9615
>> Volatile Systems Volatility Framework 2.3_beta
>> Pid      Start              End                Flags               Pgoff
>> Major  Minor  Inode      File Path
>> -------- ------------------ ------------------ ------ ------------------
>> ------ ------ ---------- ------------------
>> segmentation fault (core dumped)
>> results in a segmentation fault...
>> I tried a lot of other Kernels in the guest domain, but each time I had
>> the same results.
>> Probably, it's not working because I use the VMI tools on a running VM?
>> Is there an explanation for that or a way how I could fix this?
>> Thank you!
>> Am 01.10.2013 03:03, schrieb Andrew Case:
>>> Can you please send the full command line input and output related to
>>> your issue?
>>> Also:
>>> -  the kernel/distro that the sample was taken from
>>> - what acquisition tool was used
>>> - what version of Volatility you are using.
>>> This will greatly help us diagnose the issue.
>>> Thanks,
>>> Andrew (@attrc)
>>> On Thu, Sep 26, 2013 at 4:05 PM, Sebastian Biedermann
>>> <biedermann at seceng.informatik.tu-darmstadt.de> wrote:
>>>> Hi guys,
>>>> I'm trying to find out the addresses of the memory pages of a target process
>>>> that are used as stack and heap on Linux.
>>>> (Precisely, I would like to have the output which can be seen in
>>>> /proc/<pid>/maps for a target process)
>>>> Unfortunately, the command linux_proc_maps is not working, I always get a
>>>> segmentation fault,
>>>> although I tried different kernels as well as Linux setups (Ubuntu) - it's
>>>> just not working.
>>>> Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
>>>> command works?
>>>> Or give me a hint how I could figure out these addresses on another way?
>>>> Thank you!
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users at volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Sebastian Biedermann
Security Engineering Group
Technische Universität Darmstadt
biedermann at seceng.informatik.tu-darmstadt.de

This email and any files transmitted with it are confidential 
and intended solely for the use of the individual or entity 
to whom they are addressed. If you have received this email 
in error please notify the sender.

More information about the Vol-users mailing list