Public bug reported:
I am trying to read the first 16 bytes of the System Process on a
Windows XP x64 SP2 using the memsave monitor command.
I cloned the latest release of QEMU, v2.6.0, configured it with
./configure --target-list=i386-softmmu,x86_64-softmmu --enable-sdl
and compiled it.
I first tried to use memsave against Windows XP SP3 32 bits.
This is the procedure i used :
1 - start the VM with :
./i386-softmmu/qemu-system-i386 --enable-kvm -monitor stdio -hda
~/vm/winxp.qcow2
and wait for the desktop
2 - take a physical memory dump with :
pmemsave 0 134217728 dump.raw
3 - call rekall on this memory dump to identify running processes :
rekall -f dump.raw pslist
_EPROCESS Name PID PPID Thds Hnds Sess Wow64
Start Exit
---------- -------------------- ----- ------ ------ -------- ------ ------
------------------------ ------------------------
0x80e8fa00 System 4 0 46 148 - False -
-
4 - read the first 16 bytes of the System PROCESS struct :
memsave 0x80e8fa00 16 system
5 - check the content with hexdump :
00000000 03 00 1b 00 00 00 00 00 08 fa e8 80 08 fa e8 80
you can recognize here the beginning of an EPROCESS struct.
So on a 32 bits Windows XP OS, it works.
But when i tried on Windows XP SP2 64 bits, rekall gave me the following output
:
_EPROCESS Name PID PPID Thds Hnds Sess Wow64
Start Exit
-------------- -------------------- ----- ------ ------ -------- ------ ------
------------------------ ------------------------
0xfadffd71d040 System 4 0 51 398 - False
- -
And when i tried to read the memory with memsave :
memsave 0xfadffd71d040 16 system
I had the following error :
Invalid addr 0x0000fadffd71d040/size 16 specified
This address is supposed to be valid because I am reading the System EProcess
struct, which should not be in the paged pool memory I think.
Also i disabled the paging file to be sure and the bug is still present.
Furthermore the bug is reproducible on the latest QEMU
(01a720125f5e2f0a23d2682b39dead2fcc820066).
Can you confirm that this is a bug ?
Should i check something ?
Thanks !
** Affects: qemu
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1605611
Title:
memsave returns invalid addr when trying to read a 64 bits address
Status in QEMU:
New
Bug description:
I am trying to read the first 16 bytes of the System Process on a
Windows XP x64 SP2 using the memsave monitor command.
I cloned the latest release of QEMU, v2.6.0, configured it with
./configure --target-list=i386-softmmu,x86_64-softmmu --enable-sdl
and compiled it.
I first tried to use memsave against Windows XP SP3 32 bits.
This is the procedure i used :
1 - start the VM with :
./i386-softmmu/qemu-system-i386 --enable-kvm -monitor stdio -hda
~/vm/winxp.qcow2
and wait for the desktop
2 - take a physical memory dump with :
pmemsave 0 134217728 dump.raw
3 - call rekall on this memory dump to identify running processes :
rekall -f dump.raw pslist
_EPROCESS Name PID PPID Thds Hnds Sess Wow64
Start Exit
---------- -------------------- ----- ------ ------ -------- ------ ------
------------------------ ------------------------
0x80e8fa00 System 4 0 46 148 - False -
-
4 - read the first 16 bytes of the System PROCESS struct :
memsave 0x80e8fa00 16 system
5 - check the content with hexdump :
00000000 03 00 1b 00 00 00 00 00 08 fa e8 80 08 fa e8 80
you can recognize here the beginning of an EPROCESS struct.
So on a 32 bits Windows XP OS, it works.
But when i tried on Windows XP SP2 64 bits, rekall gave me the following
output :
_EPROCESS Name PID PPID Thds Hnds Sess Wow64
Start Exit
-------------- -------------------- ----- ------ ------ -------- ------
------ ------------------------ ------------------------
0xfadffd71d040 System 4 0 51 398 - False
- -
And when i tried to read the memory with memsave :
memsave 0xfadffd71d040 16 system
I had the following error :
Invalid addr 0x0000fadffd71d040/size 16 specified
This address is supposed to be valid because I am reading the System EProcess
struct, which should not be in the paged pool memory I think.
Also i disabled the paging file to be sure and the bug is still present.
Furthermore the bug is reproducible on the latest QEMU
(01a720125f5e2f0a23d2682b39dead2fcc820066).
Can you confirm that this is a bug ?
Should i check something ?
Thanks !
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1605611/+subscriptions
