ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Heap address space which is part of a process of interest can't be dumped in linux_volshell #487

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Run a program in the VM running on the virtual box. Make some dynamic memory 
allocations
2. Take an image from the guest operating system
3. Run Volatility on the image just collected and run linux_proc_maps. I am 
able to see the heap range but I am unable to dd the address and it reports the 
following error :
------------------------------
>>> dd(0x000000000168a000)
Memory unreadable at 0168a000
------------------------------

What is the expected output? What do you see instead?

Expected output is the dump of memory but instead I see the above error

What version of the product are you using? On what operating system?
os version : Linux version 3.5.0-17-generic
volatility version : Volatility Foundation Volatility Framework 2.3.1

Please provide any additional information below.

Here is the snippet from linux_proc_maps showing the heap of the process in 
question:

3793 0x0000000000400000 0x0000000000401000 r-x                   0x0      8     
 2      73708 /root/a.out                                   
    3793 0x0000000000600000 0x0000000000601000 r--                   0x0      8      2      73708 /root/a.out                                   
    3793 0x0000000000601000 0x0000000000602000 rw-                0x1000      8      2      73708 /root/a.out  
3793 0x000000000168a000 0x00000000016ab000 rw-                   0x0      0     
 0          0 [heap]

Original issue reported on code.google.com by grajkart...@gmail.com on 13 Mar 2014 at 9:14

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 13 Mar 2014 at 9:41

GoogleCodeExporter commented 9 years ago
Hello,

Can you please paste the full volshell session? In particular I am looking to 
see if you did:

cc(pid=3793)

before running dd. cc changes volshell's context so that it translates virtual 
addresses in the address space of the process you tell it to. By default it 
works in the address space of init (PID 1). You can see your current context 
with the sc() command.

If you did use cc and still get that error it means that the first page of the 
heap was paged out/not present at the time of acquistion.

Original comment by atc...@gmail.com on 13 Mar 2014 at 11:24

GoogleCodeExporter commented 9 years ago
Thanks a lot for the help ! I was not switching the context to the thread in 
question. Also is it possible to print the process details from the volshell ? 
or could you please point me to a page (if there is one) which talks more about 
volshell and the cool things that can be done in the shell like printing linux 
related data structures etc.

Original comment by grajkart...@gmail.com on 14 Mar 2014 at 6:07

GoogleCodeExporter commented 9 years ago
Which process details are you interested in printing? The answer is 'yes' to 
printing details from volshell, just need to know which you are interested in.

You can use hh() in volshell to see the help menu and available commands. While 
in volshell you also have access to all of VOlatility's capabilities.

Original comment by atc...@gmail.com on 16 Mar 2014 at 1:46

GoogleCodeExporter commented 9 years ago
Right now I am in the pid of interest. I would like to know the various 
information of that process. Like the address locations of heap space, stack 
space etc. I get this usually by going back and typing in linux_proc_maps and 
then getting it from there. If there is a way to get that information from the 
shell it's useful.

Original comment by grajkart...@gmail.com on 23 Mar 2014 at 9:09

GoogleCodeExporter commented 9 years ago
You can look in the linux_proc_maps plugin to see how we iterate through a 
process's memory maps...then just do the same thing inside volshell. In 
general, anything you see in a plugin can be done in volshell. 

Original comment by michael.hale@gmail.com on 25 May 2014 at 5:37