From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34348) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WlEoJ-0003xq-03 for qemu-devel@nongnu.org; Fri, 16 May 2014 05:52:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1WlEo9-0005tc-D2 for qemu-devel@nongnu.org; Fri, 16 May 2014 05:52:14 -0400 Received: from e06smtp13.uk.ibm.com ([195.75.94.109]:42178) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1WlEo8-0005tQ-P9 for qemu-devel@nongnu.org; Fri, 16 May 2014 05:52:05 -0400 Received: from /spool/local by e06smtp13.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 16 May 2014 10:52:03 +0100 Received: from b06cxnps3074.portsmouth.uk.ibm.com (d06relay09.portsmouth.uk.ibm.com [9.149.109.194]) by d06dlp02.portsmouth.uk.ibm.com (Postfix) with ESMTP id 10F4E219004D for ; Fri, 16 May 2014 10:51:53 +0100 (BST) Received: from d06av04.portsmouth.uk.ibm.com (d06av04.portsmouth.uk.ibm.com [9.149.37.216]) by b06cxnps3074.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id s4G9q1Vo786836 for ; Fri, 16 May 2014 09:52:01 GMT Received: from d06av04.portsmouth.uk.ibm.com (localhost [127.0.0.1]) by d06av04.portsmouth.uk.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id s4G9q1jh032653 for ; Fri, 16 May 2014 03:52:01 -0600 Date: Fri, 16 May 2014 11:51:58 +0200 From: Greg Kurz Message-ID: <20140516115158.301d8fc7@bahia.local> In-Reply-To: References: <20140516090322.78f174a3@bahia.local> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] dump-guest-memory command? List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Jun Koi Cc: "qemu-devel@nongnu.org" On Fri, 16 May 2014 16:40:23 +0800 Jun Koi wrote: > On Fri, May 16, 2014 at 3:03 PM, Greg Kurz wrote: > > > On Fri, 16 May 2014 14:24:16 +0800 > > Jun Koi wrote: > > > Hi, > > > > > > Anybody please help me on this dump-guest-memory command? How does the > > > virtual memory map to the dumped file? > > > > > > For example, if x86 register RIP points to 0x12345, how does that map to > > > the dump file? Meaning how can I find where this address 0x12345 in the > > > dump? > > > > > > I tried, but couldnt find much documentation on this command. > > > > > > Thank you a lot, > > > Jun > > > > Hi Jun, > > > > The dump file is in ELF format and data is written in ELF notes. > > Use readelf -a on the file and you'll get something like the > > following at the end of the output: > > > > ... > > > > Notes at offset 0x000001c8 with length 0x00000328: > > Owner Data size Description > > CORE 0x00000150 NT_PRSTATUS (prstatus structure) > > QEMU 0x000001b0 Unknown note type: (0x00000000) > > > > The registers sit in the NT_PRSTATUS note (hence somewhere offset > > 0x000001c8 and 0x000001c8+0x00000150+0x14 (the latter is the ELF note > > header size). Be aware that intel is little endian: if RIP is 0x00012345, > > you need to look for '45 23 01 00' in the file. > > > > > Thanks so much, but perhaps you misunderstood my question? What I want to > know is how to map 0x12345 (virtual address) back to the dump file. > Heh... sorry for that, morning isn't the best time to answer questions I guess ;) > For example, if 0x12345 was executing some filesystem code at the time I > dumped the VM, then I can locate exactly that code in the dumpfile, thanks > to the given RIP address (which is 0x12345 in this example) > > I hope I explain my idea clear enough this time? > Yeah. Maybe the crash utility (http://people.redhat.com/anderson) can help. > Thanks a lot, > Jun -- Gregory Kurz kurzgreg@fr.ibm.com gkurz@linux.vnet.ibm.com Software Engineer @ IBM/Meiosys http://www.ibm.com Tel +33 (0)562 165 496 "Anarchy is about taking complete responsibility for yourself." Alan Moore.