Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing to parse QEMU memory dump note .shstrtab #370

Open
IridiumXOR opened this issue May 24, 2023 · 1 comment
Open

Failing to parse QEMU memory dump note .shstrtab #370

IridiumXOR opened this issue May 24, 2023 · 1 comment

Comments

@IridiumXOR
Copy link

Hi,
if you generate an ELF core file containing the memory dump of VM in QEMU (qemu-system-x86_64 than in console dump-guest-memory FILENAME) and you parse it with a simple Rust program as

use goblin::Object;
use std::io::Read;
use std::fs::File;

fn main() {

    let mut file = File::open("/tmp/elf").map_err(|_| "open file error").expect("Error");

    let mut head = vec![0; 1024*1024*2];
    file.read(&mut head).ok();
    println!("{:?}\n", Object::parse(&head));
}

you get Err(Malformed("Section 1 size (151127112) + offset (11) is out of bounds. Overflowed: false")) but the ELF core is correctly formatted. I suppose the error is a offset-by-one error.
@m4b
Copy link
Owner

m4b commented Jul 5, 2023

interesting; @IridiumXOR would you be interested in working on a PR to fix this? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@m4b @IridiumXOR