[Vol-users] Reading PV ELF coredumps from Xen into Volatlity

AAron Walters awalters at 4tphi.net
Fri Jul 29 09:57:52 CDT 2016



Hi Michael,

Thanks for reaching out! I do know of a couple of groups actively 
researching this area. I don't think they have released anything publicly 
yet but I would be happy to send introductions. Please feel free to send 
me an email off list.

Thanks,

AAron Walters
The Volatility Foundation


On Thu, 28 Jul 2016, Seborowski, Michael wrote:

> 
> Hello everyone,
> 
>  
> 
> I apologize if this is not correctly described, but I have been trying to read Para-virtualized (PV) core dump files from a
> Xen Hypervisor. Now, I have managed to read the core dump when the VM is in HVM mode and read pfn values of a Ubuntu system
> with this external GitHub project (address space from Xenelf.py file): https://github.com/banne01/xen-core-velocity (after
> modifying line 126 to show elf_hdr instead of elf64_hdr to solve a weird error message).
> 
>  
> 
> However, I cannot seem to figure out how the p2m values are properly read from a PV SUSE Linux Enterprise Server VM. There
> is a pfn value and a gmfn value in the p2m array of values which I cannot seem to read and interpret properly even if I
> specifically tell volatility to focus on just the pfn values. In addition, Volatility succeeds in instancing the address
> space for the SLES coredump but it still errors out after all the other address spaces have been exhausted.
> 
>  
> 
> If anyone has any feedback or ways to point me in the right direction, could you let me know?
> 
>  
> 
> Thanks, and best regards.
> 
>  
> 
> Michael Seborowski
> 
>  
> 
> 
>


More information about the Vol-users mailing list