summary refs log tree commit diff stats
path: root/results/classifier/accel-gemma3:12b/kvm/1605611
blob: 4ec706c4b22893c58a846fab24a460dd93a95249 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

memsave returns invalid addr when trying to read a 64 bits address

I am trying to read the first 16 bytes of the System Process on a Windows XP x64 SP2 using the memsave monitor command.

I cloned the latest release of QEMU, v2.6.0, configured it with 
./configure --target-list=i386-softmmu,x86_64-softmmu --enable-sdl
and compiled it.

I first tried to use memsave against Windows XP SP3 32 bits.
This is the procedure i used :

1 - start the VM with :
./i386-softmmu/qemu-system-i386 --enable-kvm -monitor stdio -hda ~/vm/winxp.qcow2
and wait for the desktop
2 - take a physical memory dump with :
pmemsave 0 134217728 dump.raw
3 - call rekall on this memory dump to identify running processes :
rekall -f dump.raw pslist
_EPROCESS          Name          PID   PPID   Thds    Hnds    Sess  Wow64           Start                     Exit          
---------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
0x80e8fa00 System                   4      0     46      148      - False  -                        -                       
4 - read the first 16 bytes of the System PROCESS struct :
memsave 0x80e8fa00 16 system
5 - check the content with hexdump :
00000000  03 00 1b 00 00 00 00 00  08 fa e8 80 08 fa e8 80
you can recognize here the beginning of an EPROCESS struct.

So on a 32 bits Windows XP OS, it works.

But when i tried on Windows XP SP2 64 bits, rekall gave me the following output :
  _EPROCESS            Name          PID   PPID   Thds    Hnds    Sess  Wow64           Start                     Exit          
-------------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
0xfadffd71d040 System                   4      0     51      398      - False  -                        -                       
And when i tried to read the memory with memsave :
memsave 0xfadffd71d040 16 system

I had the following error :
Invalid addr 0x0000fadffd71d040/size 16 specified

This address is supposed to be valid because I am reading the System EProcess struct, which should not be in the paged pool memory I think.
Also i disabled the paging file to be sure and the bug is still present.

Furthermore the bug is reproducible on the latest QEMU (01a720125f5e2f0a23d2682b39dead2fcc820066).

Can you confirm that this is a bug ?
Should i check something ?

Thanks !