[panda-users] Fwd: Memdump's output
Brendan Dolan-Gavitt
brendandg at nyu.edu
Wed Mar 9 11:36:28 EST 2016
[Forgot to send this to the list, where it can be useful to everyone]
Assuming you're using something like grep -bao (to print the byte
offset within the file where the match occurs), then you can map that
byte offset back to a tap point by using the tap index file. The tap
index file starts with a 4 byte integer giving the word size in bytes,
then a sequence of records giving the caller, program counter, cr3,
and finally the number of bytes. So to find out what tap point it is,
you can use something like this script:
https://gist.github.com/moyix/8d0d9996e28b1e433c9e
And then run:
$ python findindex.py tap_reads.idx 308988512
00000000008d125d 00000000008c9958 000000003eb5b3c0
Best,
Brendan
On Wed, Mar 9, 2016 at 5:41 AM, Julia Gustafsson
<gustafssonjulia92 at gmail.com> wrote:
> Hello,
>
> I have a question regarding the output from memdump.
>
> For example if I use grep on one of the output files I get this:
> 308988512:local
>
> What is the number?
>
> Best Regards,
> Julia
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
--
Brendan Dolan-Gavitt
Assistant Professor, Department of Computer Science and Engineering
NYU Tandon School of Engineering
More information about the panda-users
mailing list