From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57554)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gkurz@linux.vnet.ibm.com>) id 1WlCBo-0004M7-EB
	for qemu-devel@nongnu.org; Fri, 16 May 2014 03:04:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <gkurz@linux.vnet.ibm.com>) id 1WlCBf-0000Df-4w
	for qemu-devel@nongnu.org; Fri, 16 May 2014 03:04:20 -0400
Received: from e06smtp12.uk.ibm.com ([195.75.94.108]:48417)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <gkurz@linux.vnet.ibm.com>) id 1WlCBe-0000DA-SQ
	for qemu-devel@nongnu.org; Fri, 16 May 2014 03:04:11 -0400
Received: from /spool/local
	by e06smtp12.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <gkurz@linux.vnet.ibm.com>;
	Fri, 16 May 2014 08:04:07 +0100
Received: from b06cxnps3074.portsmouth.uk.ibm.com
	(d06relay09.portsmouth.uk.ibm.com [9.149.109.194])
	by d06dlp03.portsmouth.uk.ibm.com (Postfix) with ESMTP id 8E8571B08041
	for <qemu-devel@nongnu.org>; Fri, 16 May 2014 08:03:49 +0100 (BST)
Received: from d06av09.portsmouth.uk.ibm.com (d06av09.portsmouth.uk.ibm.com
	[9.149.37.250])
	by b06cxnps3074.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with
	ESMTP id s4G73YQU655762
	for <qemu-devel@nongnu.org>; Fri, 16 May 2014 07:03:34 GMT
Received: from d06av09.portsmouth.uk.ibm.com (localhost [127.0.0.1])
	by d06av09.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with
	ESMTP id s4G73XaB017760
	for <qemu-devel@nongnu.org>; Fri, 16 May 2014 01:03:34 -0600
Date: Fri, 16 May 2014 09:03:22 +0200
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
Message-ID: <20140516090322.78f174a3@bahia.local>
In-Reply-To: <CA+g7VZ1hLfQ6+bf_UvyOQn2Y-3b3tD1DoxxR4Dkky3xSE274GA@mail.gmail.com>
References: <CA+g7VZ1hLfQ6+bf_UvyOQn2Y-3b3tD1DoxxR4Dkky3xSE274GA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MP_/SxeKjVmYK7Zp4YtH=8a6q6C"
Subject: Re: [Qemu-devel] dump-guest-memory command?
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Jun Koi <junkoi2004@gmail.com>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>

--MP_/SxeKjVmYK7Zp4YtH=8a6q6C
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Fri, 16 May 2014 14:24:16 +0800
Jun Koi <junkoi2004@gmail.com> wrote:
> Hi,
> 
> Anybody please help me on this dump-guest-memory command? How does the
> virtual memory map to the dumped file?
> 
> For example, if x86 register RIP points to 0x12345, how does that map to
> the dump file? Meaning how can I find where this address 0x12345 in the
> dump?
> 
> I tried, but couldnt find much documentation on this command.
> 
> Thank you a lot,
> Jun

Hi Jun,

The dump file is in ELF format and data is written in ELF notes.
Use readelf -a on the file and you'll get something like the
following at the end of the output:

...

Notes at offset 0x000001c8 with length 0x00000328:
  Owner                 Data size       Description
  CORE                 0x00000150       NT_PRSTATUS (prstatus structure)
  QEMU                 0x000001b0       Unknown note type: (0x00000000)

The registers sit in the NT_PRSTATUS note (hence somewhere offset
0x000001c8 and 0x000001c8+0x00000150+0x14 (the latter is the ELF note
header size). Be aware that intel is little endian: if RIP is 0x00012345,
you need to look for '45 23 01 00' in the file.

The attached script may help to display the dump file content.

Cheers.

-- 
Gregory Kurz                                     kurzgreg@fr.ibm.com
                                                 gkurz@linux.vnet.ibm.com
Software Engineer @ IBM/Meiosys                  http://www.ibm.com
Tel +33 (0)562 165 496

"Anarchy is about taking complete responsibility for yourself."
        Alan Moore.

--MP_/SxeKjVmYK7Zp4YtH=8a6q6C
Content-Type: application/octet-stream; name=elfnote
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=elfnote

IyEvYmluL2Jhc2gKCnVzYWdlKCkgewogICAgY2F0PDxFT0Y+JjIKVVNBR0U6IGVsZm5vdGUgPGNv
cmVmaWxlPiA8bm90ZSBwYXR0ZXJuPgoKZXhhbXBsZTogZWxmbm90ZSAuL3ZtY29yZSBQUlNUQVRV
UyB3aWxsIHNob3cgUFJTVEFUVVMgKHJlZ2lzdGVycykKRU9GCiAgICBleGl0IDEKfQoKW1sgLW4g
IiQxIiBdXSB8fCB1c2FnZQpmaWxlPSIkMSIKc2hpZnQKW1sgLW4gIiQxIiBdXSB8fCB1c2FnZQpw
YXR0ZXJuPSIkMSIKc2hpZnQKCm5vdGVzPSggJChyZWFkZWxmIC1uICRmaWxlIHwgYXdrIC0tbm9u
LWRlY2ltYWwtZGF0YSBcCiAgICAiL05vdGVzIGF0IG9mZnNldC8geyBvZmZzZXQgPSBcJDQgfSBc
CiAgICAgLyRwYXR0ZXJuLyB7IHByaW50IG9mZnNldCArIDIwIFwiOlwiIDAgKyBcJDIgfSBcCiAg
ICAgL0NPUkV8UUVNVS8geyBvZmZzZXQgKz0gMjAgKyBcJDIgfSIpKQoKZm9yIG5vdGUgaW4gIiR7
bm90ZXNbQF19IgpkbwogICAgb2Zmc2V0PSR7bm90ZSU6Kn0KICAgIHNpemU9JHtub3RlIyo6fQoK
ICAgIHByaW50ZiAib2Zmc2V0OiAweCV4IHNpemU6IDB4JXhcbiIgJG9mZnNldCAkc2l6ZQogICAg
ZWNobyAiLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tIgogICAgb2QgLUEgeCAtdCB4MSAtaiAkb2Zmc2V0IC1OICRzaXplICRmaWxlCiAgICBlY2hv
CmRvbmUKCg==

--MP_/SxeKjVmYK7Zp4YtH=8a6q6C--