summary refs log tree commit diff stats
path: root/results/classifier/118/none/1605611
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/118/none/1605611')
-rw-r--r--results/classifier/118/none/160561193
1 files changed, 93 insertions, 0 deletions
diff --git a/results/classifier/118/none/1605611 b/results/classifier/118/none/1605611
new file mode 100644
index 000000000..2ed1a7954
--- /dev/null
+++ b/results/classifier/118/none/1605611
@@ -0,0 +1,93 @@
+semantic: 0.509
+peripherals: 0.486
+mistranslation: 0.451
+register: 0.409
+user-level: 0.404
+permissions: 0.399
+PID: 0.389
+arm: 0.384
+performance: 0.380
+architecture: 0.376
+ppc: 0.376
+device: 0.375
+virtual: 0.364
+VMM: 0.363
+hypervisor: 0.356
+graphic: 0.349
+assembly: 0.347
+debug: 0.338
+vnc: 0.335
+TCG: 0.333
+risc-v: 0.310
+i386: 0.306
+KVM: 0.301
+x86: 0.280
+network: 0.264
+files: 0.256
+kernel: 0.251
+boot: 0.247
+socket: 0.215
+
+memsave returns invalid addr when trying to read a 64 bits address
+
+I am trying to read the first 16 bytes of the System Process on a Windows XP x64 SP2 using the memsave monitor command.
+
+I cloned the latest release of QEMU, v2.6.0, configured it with 
+./configure --target-list=i386-softmmu,x86_64-softmmu --enable-sdl
+and compiled it.
+
+I first tried to use memsave against Windows XP SP3 32 bits.
+This is the procedure i used :
+
+1 - start the VM with :
+./i386-softmmu/qemu-system-i386 --enable-kvm -monitor stdio -hda ~/vm/winxp.qcow2
+and wait for the desktop
+2 - take a physical memory dump with :
+pmemsave 0 134217728 dump.raw
+3 - call rekall on this memory dump to identify running processes :
+rekall -f dump.raw pslist
+_EPROCESS          Name          PID   PPID   Thds    Hnds    Sess  Wow64           Start                     Exit          
+---------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
+0x80e8fa00 System                   4      0     46      148      - False  -                        -                       
+4 - read the first 16 bytes of the System PROCESS struct :
+memsave 0x80e8fa00 16 system
+5 - check the content with hexdump :
+00000000  03 00 1b 00 00 00 00 00  08 fa e8 80 08 fa e8 80
+you can recognize here the beginning of an EPROCESS struct.
+
+So on a 32 bits Windows XP OS, it works.
+
+But when i tried on Windows XP SP2 64 bits, rekall gave me the following output :
+  _EPROCESS            Name          PID   PPID   Thds    Hnds    Sess  Wow64           Start                     Exit          
+-------------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
+0xfadffd71d040 System                   4      0     51      398      - False  -                        -                       
+And when i tried to read the memory with memsave :
+memsave 0xfadffd71d040 16 system
+
+I had the following error :
+Invalid addr 0x0000fadffd71d040/size 16 specified
+
+This address is supposed to be valid because I am reading the System EProcess struct, which should not be in the paged pool memory I think.
+Also i disabled the paging file to be sure and the bug is still present.
+
+Furthermore the bug is reproducible on the latest QEMU (01a720125f5e2f0a23d2682b39dead2fcc820066).
+
+Can you confirm that this is a bug ?
+Should i check something ?
+
+Thanks !
+
+The QEMU project is currently considering to move its bug tracking to
+another system. For this we need to know which bugs are still valid
+and which could be closed already. Thus we are setting older bugs to
+"Incomplete" now.
+
+If you still think this bug report here is valid, then please switch
+the state back to "New" within the next 60 days, otherwise this report
+will be marked as "Expired". Or please mark it as "Fix Released" if
+the problem has been solved with a newer version of QEMU already.
+
+Thank you and sorry for the inconvenience.
+
+[Expired for QEMU because there has been no activity for 60 days.]
+