qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] [Bug 1605611] [NEW] memsave returns invalid addr when tryin

From: Mathieu Tarral
Subject: [Qemu-devel] [Bug 1605611] [NEW] memsave returns invalid addr when trying to read a 64 bits address
Date: Fri, 22 Jul 2016 12:19:02 -0000 
Public bug reported:

I am trying to read the first 16 bytes of the System Process on a
Windows XP x64 SP2 using the memsave monitor command.

I cloned the latest release of QEMU, v2.6.0, configured it with 
./configure --target-list=i386-softmmu,x86_64-softmmu --enable-sdl
and compiled it.

I first tried to use memsave against Windows XP SP3 32 bits.
This is the procedure i used :

1 - start the VM with :
./i386-softmmu/qemu-system-i386 --enable-kvm -monitor stdio -hda 
~/vm/winxp.qcow2
and wait for the desktop
2 - take a physical memory dump with :
pmemsave 0 134217728 dump.raw
3 - call rekall on this memory dump to identify running processes :
rekall -f dump.raw pslist
_EPROCESS          Name          PID   PPID   Thds    Hnds    Sess  Wow64       
    Start                     Exit          
---------- -------------------- ----- ------ ------ -------- ------ ------ 
------------------------ ------------------------
0x80e8fa00 System                   4      0     46      148      - False  -    
                    -                       
4 - read the first 16 bytes of the System PROCESS struct :
memsave 0x80e8fa00 16 system
5 - check the content with hexdump :
00000000  03 00 1b 00 00 00 00 00  08 fa e8 80 08 fa e8 80
you can recognize here the beginning of an EPROCESS struct.

So on a 32 bits Windows XP OS, it works.

But when i tried on Windows XP SP2 64 bits, rekall gave me the following output 
:
  _EPROCESS            Name          PID   PPID   Thds    Hnds    Sess  Wow64   
        Start                     Exit          
-------------- -------------------- ----- ------ ------ -------- ------ ------ 
------------------------ ------------------------
0xfadffd71d040 System                   4      0     51      398      - False  
-                        -                       
And when i tried to read the memory with memsave :
memsave 0xfadffd71d040 16 system

I had the following error :
Invalid addr 0x0000fadffd71d040/size 16 specified

This address is supposed to be valid because I am reading the System EProcess 
struct, which should not be in the paged pool memory I think.
Also i disabled the paging file to be sure and the bug is still present.

Furthermore the bug is reproducible on the latest QEMU
(01a720125f5e2f0a23d2682b39dead2fcc820066).

Can you confirm that this is a bug ?
Should i check something ?

Thanks !

** Affects: qemu
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1605611

Title:
  memsave returns invalid addr when trying to read a 64 bits address

Status in QEMU:
  New

Bug description:
  I am trying to read the first 16 bytes of the System Process on a
  Windows XP x64 SP2 using the memsave monitor command.

  I cloned the latest release of QEMU, v2.6.0, configured it with 
  ./configure --target-list=i386-softmmu,x86_64-softmmu --enable-sdl
  and compiled it.

  I first tried to use memsave against Windows XP SP3 32 bits.
  This is the procedure i used :

  1 - start the VM with :
  ./i386-softmmu/qemu-system-i386 --enable-kvm -monitor stdio -hda 
~/vm/winxp.qcow2
  and wait for the desktop
  2 - take a physical memory dump with :
  pmemsave 0 134217728 dump.raw
  3 - call rekall on this memory dump to identify running processes :
  rekall -f dump.raw pslist
  _EPROCESS          Name          PID   PPID   Thds    Hnds    Sess  Wow64     
      Start                     Exit          
  ---------- -------------------- ----- ------ ------ -------- ------ ------ 
------------------------ ------------------------
  0x80e8fa00 System                   4      0     46      148      - False  -  
                      -                       
  4 - read the first 16 bytes of the System PROCESS struct :
  memsave 0x80e8fa00 16 system
  5 - check the content with hexdump :
  00000000  03 00 1b 00 00 00 00 00  08 fa e8 80 08 fa e8 80
  you can recognize here the beginning of an EPROCESS struct.

  So on a 32 bits Windows XP OS, it works.

  But when i tried on Windows XP SP2 64 bits, rekall gave me the following 
output :
    _EPROCESS            Name          PID   PPID   Thds    Hnds    Sess  Wow64 
          Start                     Exit          
  -------------- -------------------- ----- ------ ------ -------- ------ 
------ ------------------------ ------------------------
  0xfadffd71d040 System                   4      0     51      398      - False 
 -                        -                       
  And when i tried to read the memory with memsave :
  memsave 0xfadffd71d040 16 system

  I had the following error :
  Invalid addr 0x0000fadffd71d040/size 16 specified

  This address is supposed to be valid because I am reading the System EProcess 
struct, which should not be in the paged pool memory I think.
  Also i disabled the paging file to be sure and the bug is still present.

  Furthermore the bug is reproducible on the latest QEMU
  (01a720125f5e2f0a23d2682b39dead2fcc820066).

  Can you confirm that this is a bug ?
  Should i check something ?

  Thanks !

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1605611/+subscriptions
reply via email to
[Prev in Thread] Current Thread [Next in Thread]