Can't save specific address with pt-dump

[guysrd]

I'm trying to use pt-dump on a regular x64 environment, I would like to save a specific address, however whenever I try to save one address I get the following error:

pt -save -addr 0xffff88813805f440

or

pt -addr 0xffff88813189e000

fail :/

Could you assist in solving this issue? It sounds like there some weird parsing error there while parsing the address itself, maybe I'm not using the tool correctly?

Thanks, Guy

[martinradev]

Hmm, I don't know why you get the exception, but the addr value must be a physical address, not a virtual address. You can p /x $cr3 if it's a x86-64 VM to get the physical address. I added this option cause I thought it would be neat to print the page tables from a specific physical address if you happen to be working with multiple different address spaces, for example Linux kernel and OVMF.

In my case: pwndbg> p /x $cr3 $2 = 0x1a0a000

pwndbg> pt -save -addr 0x1a0a000 -filter x Address : Length Permissions
0xffff98d08009a000 : 0x1000 | W:0 X:1 S:1 UC:0 WB:1 0xffffffffb1800000 : 0x7cf000 | W:0 X:1 S:1 UC:0 WB:1 0xffffffffc0073000 : 0x1000 | W:0 X:1 S:1 UC:0 WB:1

I think the parsing error you get happens when the scripts tries to translate the Guest Physical Address to the Host Virtual Address, but I may be mistaken.

Let me know if this helps :)