From: Greg Kurz <gkurz@linux.vnet.ibm.com>
To: Jun Koi <junkoi2004@gmail.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] dump-guest-memory command?
Date: Fri, 16 May 2014 09:03:22 +0200 [thread overview]
Message-ID: <20140516090322.78f174a3@bahia.local> (raw)
In-Reply-To: <CA+g7VZ1hLfQ6+bf_UvyOQn2Y-3b3tD1DoxxR4Dkky3xSE274GA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1533 bytes --]
On Fri, 16 May 2014 14:24:16 +0800
Jun Koi <junkoi2004@gmail.com> wrote:
> Hi,
>
> Anybody please help me on this dump-guest-memory command? How does the
> virtual memory map to the dumped file?
>
> For example, if x86 register RIP points to 0x12345, how does that map to
> the dump file? Meaning how can I find where this address 0x12345 in the
> dump?
>
> I tried, but couldnt find much documentation on this command.
>
> Thank you a lot,
> Jun
Hi Jun,
The dump file is in ELF format and data is written in ELF notes.
Use readelf -a on the file and you'll get something like the
following at the end of the output:
...
Notes at offset 0x000001c8 with length 0x00000328:
Owner Data size Description
CORE 0x00000150 NT_PRSTATUS (prstatus structure)
QEMU 0x000001b0 Unknown note type: (0x00000000)
The registers sit in the NT_PRSTATUS note (hence somewhere offset
0x000001c8 and 0x000001c8+0x00000150+0x14 (the latter is the ELF note
header size). Be aware that intel is little endian: if RIP is 0x00012345,
you need to look for '45 23 01 00' in the file.
The attached script may help to display the dump file content.
Cheers.
--
Gregory Kurz kurzgreg@fr.ibm.com
gkurz@linux.vnet.ibm.com
Software Engineer @ IBM/Meiosys http://www.ibm.com
Tel +33 (0)562 165 496
"Anarchy is about taking complete responsibility for yourself."
Alan Moore.
[-- Attachment #2: elfnote --]
[-- Type: application/octet-stream, Size: 691 bytes --]
#!/bin/bash
usage() {
cat<<EOF>&2
USAGE: elfnote <corefile> <note pattern>
example: elfnote ./vmcore PRSTATUS will show PRSTATUS (registers)
EOF
exit 1
}
[[ -n "$1" ]] || usage
file="$1"
shift
[[ -n "$1" ]] || usage
pattern="$1"
shift
notes=( $(readelf -n $file | awk --non-decimal-data \
"/Notes at offset/ { offset = \$4 } \
/$pattern/ { print offset + 20 \":\" 0 + \$2 } \
/CORE|QEMU/ { offset += 20 + \$2 }"))
for note in "${notes[@]}"
do
offset=${note%:*}
size=${note#*:}
printf "offset: 0x%x size: 0x%x\n" $offset $size
echo "------------------------------------------------------"
od -A x -t x1 -j $offset -N $size $file
echo
done
next prev parent reply other threads:[~2014-05-16 7:04 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-16 6:24 [Qemu-devel] dump-guest-memory command? Jun Koi
2014-05-16 7:03 ` Greg Kurz [this message]
2014-05-16 8:40 ` Jun Koi
2014-05-16 8:45 ` Andreas Färber
2014-05-16 8:51 ` Jun Koi
2014-05-16 10:00 ` Greg Kurz
2014-05-16 9:51 ` Greg Kurz
2014-05-16 9:59 ` Jun Koi
2014-05-16 10:15 ` Greg Kurz
2014-05-16 11:30 ` Laszlo Ersek
2014-05-16 13:01 ` Jun Koi
2014-05-16 15:38 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140516090322.78f174a3@bahia.local \
--to=gkurz@linux.vnet.ibm.com \
--cc=junkoi2004@gmail.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.