ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

QEMU Core Dump support #436

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Qemu snapshots (at least the ones I was looking at) are ELF32 core dumps. I saw 
the code for VirtualBox support, and hacked together support for qemu too, 
mostly just changing around offsets. I don't have much knowledge of any 
debugging structures of qemu, sorry.

I renamed /plugins/overlays/linux/elf.py to elf64.py, and just stuck this in 
its place:
import elf32
import elf64

Original issue reported on code.google.com by justincapella@gmail.com on 25 Jul 2013 at 10:10

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 9 Nov 2013 at 2:50

GoogleCodeExporter commented 9 years ago
Qemu also does elf64 dumps, so something like this has to check for both. (I 
dont have any elf32 dumps, so I cant do it.)

Original comment by es...@mrfjo.org on 1 Dec 2013 at 6:55

GoogleCodeExporter commented 9 years ago
Or it can perhaps be done like this(?).

Original comment by es...@mrfjo.org on 1 Dec 2013 at 7:32

Attachments:

GoogleCodeExporter commented 9 years ago
Yeah there could be some refactoring here I think, but my understanding of the 
abstraction layers are they get applied, and then it asserts if its valid or 
not, so the parser could be pretty 'dumb'. Perhaps a more generic just "elf" 
parser (i think thers only a couple variants possible, 32/64 msb/lsb) would be 
the way to go, though having those debug structures available is neat (like i 
saw for virtualbox). 

Original comment by justincapella@gmail.com on 1 Dec 2013 at 8:09

GoogleCodeExporter commented 9 years ago
Oh I didnt' realize there was a file attached -- looks good. =)

Original comment by justincapella@gmail.com on 1 Dec 2013 at 8:11

GoogleCodeExporter commented 9 years ago
Hi guys, I've followed up with you via email. Hopefully we can get these 
changes applied in time for the 2.4 release. 

Thanks!

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 7:06