[Vol-users] Why is this user-space data only in kernel space? #linux

Bridgey theGeek bridgeythegeek at gmail.com
Sun Jun 4 15:44:01 EDT 2017


Hi all,

This is a "what don't I know?" question...

I have a very simple C program:

#include <gtk/gtk.h>
#include <stdio.h>

int main(int argc, char **argv)
{
    GtkTextBuffer *buffer;
    buffer = gtk_text_buffer_new(NULL);
    gtk_text_buffer_set_text(buffer, "adam1adam2adam3", 15);

    printf("buffer: %p\n", buffer);

    getchar();
    return 0;
}

Then the following to try and locate the strings in memory:

------------------------------------------------------------
$ strings --radix=d LinuxMint-17.3-Mate-x64-61951b91.vmem | fgrep
adam1adam2adam3 >/tmp/s
------------------------------------------------------------
$ cat /tmp/s
195393652 adam1adam2adam3
204175816 adam1adam2adam3
851998836 adam1adam2adam3
------------------------------------------------------------
$ ~/src/volatility/vol.py -f LinuxMint-17.3-Mate-x64-61951b91.vmem
--profile LinuxMint173x64 linux_strings -s /tmp/s
Volatility Foundation Volatility Framework 2.6
195393652 [kernel:88000ba57874] adam1adam2adam3
204175816 [kernel:88000c2b79c8] adam1adam2adam3
851998836 [kernel:880032c87874] adam1adam2adam3
------------------------------------------------------------

Why on earth would the string only be located in Kernel space??

I've been digging into Gtk for quite some time now to try and solve this
and think I understand that in Gtk, text is stored as GtkTextLineSegments.
The memory for a GtkTextLineSegment is allocated via g_slice_alloc and the
actual text copied to the allocated space via an ordinary memcpy (See:
https://github.com/GNOME/gtk/blob/406db15066f121c2b9910691f92e58
41b30e0311/gtk/gtktextsegment.c#L190-L210)


I've proved the text really is here by editing the text in the VMEM file in
a hex editor and then resuming the VM - sure enough the text is updated to
reflect the changes.

I could just about understand the text being in Kernel space AND user space
because perhaps its sent to the X server or something, but it appears to
ONLY be in Kernel space.

What don't I know??

Many thanks,
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20170604/9df4a1a9/attachment.html>


More information about the Vol-users mailing list