summary refs log tree commit diff stats
path: root/results/classifier/deepseek-2-tmp/output/mistranslation/1605611
diff options
context:
space:
mode:
Diffstat (limited to 'results/classifier/deepseek-2-tmp/output/mistranslation/1605611')
-rw-r--r--results/classifier/deepseek-2-tmp/output/mistranslation/160561149
1 files changed, 49 insertions, 0 deletions
diff --git a/results/classifier/deepseek-2-tmp/output/mistranslation/1605611 b/results/classifier/deepseek-2-tmp/output/mistranslation/1605611
new file mode 100644
index 000000000..4ec706c4b
--- /dev/null
+++ b/results/classifier/deepseek-2-tmp/output/mistranslation/1605611
@@ -0,0 +1,49 @@
+
+memsave returns invalid addr when trying to read a 64 bits address
+
+I am trying to read the first 16 bytes of the System Process on a Windows XP x64 SP2 using the memsave monitor command.
+
+I cloned the latest release of QEMU, v2.6.0, configured it with 
+./configure --target-list=i386-softmmu,x86_64-softmmu --enable-sdl
+and compiled it.
+
+I first tried to use memsave against Windows XP SP3 32 bits.
+This is the procedure i used :
+
+1 - start the VM with :
+./i386-softmmu/qemu-system-i386 --enable-kvm -monitor stdio -hda ~/vm/winxp.qcow2
+and wait for the desktop
+2 - take a physical memory dump with :
+pmemsave 0 134217728 dump.raw
+3 - call rekall on this memory dump to identify running processes :
+rekall -f dump.raw pslist
+_EPROCESS          Name          PID   PPID   Thds    Hnds    Sess  Wow64           Start                     Exit          
+---------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
+0x80e8fa00 System                   4      0     46      148      - False  -                        -                       
+4 - read the first 16 bytes of the System PROCESS struct :
+memsave 0x80e8fa00 16 system
+5 - check the content with hexdump :
+00000000  03 00 1b 00 00 00 00 00  08 fa e8 80 08 fa e8 80
+you can recognize here the beginning of an EPROCESS struct.
+
+So on a 32 bits Windows XP OS, it works.
+
+But when i tried on Windows XP SP2 64 bits, rekall gave me the following output :
+  _EPROCESS            Name          PID   PPID   Thds    Hnds    Sess  Wow64           Start                     Exit          
+-------------- -------------------- ----- ------ ------ -------- ------ ------ ------------------------ ------------------------
+0xfadffd71d040 System                   4      0     51      398      - False  -                        -                       
+And when i tried to read the memory with memsave :
+memsave 0xfadffd71d040 16 system
+
+I had the following error :
+Invalid addr 0x0000fadffd71d040/size 16 specified
+
+This address is supposed to be valid because I am reading the System EProcess struct, which should not be in the paged pool memory I think.
+Also i disabled the paging file to be sure and the bug is still present.
+
+Furthermore the bug is reproducible on the latest QEMU (01a720125f5e2f0a23d2682b39dead2fcc820066).
+
+Can you confirm that this is a bug ?
+Should i check something ?
+
+Thanks !
\ No newline at end of file