On Fri, May 16, 2014 at 3:03 PM, Greg Kurz <gk...@linux.vnet.ibm.com> wrote:
> On Fri, 16 May 2014 14:24:16 +0800 > Jun Koi <junkoi2...@gmail.com> wrote: > > Hi, > > > > Anybody please help me on this dump-guest-memory command? How does the > > virtual memory map to the dumped file? > > > > For example, if x86 register RIP points to 0x12345, how does that map to > > the dump file? Meaning how can I find where this address 0x12345 in the > > dump? > > > > I tried, but couldnt find much documentation on this command. > > > > Thank you a lot, > > Jun > > Hi Jun, > > The dump file is in ELF format and data is written in ELF notes. > Use readelf -a on the file and you'll get something like the > following at the end of the output: > > ... > > Notes at offset 0x000001c8 with length 0x00000328: > Owner Data size Description > CORE 0x00000150 NT_PRSTATUS (prstatus structure) > QEMU 0x000001b0 Unknown note type: (0x00000000) > > The registers sit in the NT_PRSTATUS note (hence somewhere offset > 0x000001c8 and 0x000001c8+0x00000150+0x14 (the latter is the ELF note > header size). Be aware that intel is little endian: if RIP is 0x00012345, > you need to look for '45 23 01 00' in the file. > > Thanks so much, but perhaps you misunderstood my question? What I want to know is how to map 0x12345 (virtual address) back to the dump file. For example, if 0x12345 was executing some filesystem code at the time I dumped the VM, then I can locate exactly that code in the dumpfile, thanks to the given RIP address (which is 0x12345 in this example) I hope I explain my idea clear enough this time? Thanks a lot, Jun
