Re: [vmitools] PyVMI Process-list.py example

[Steven Maresca]

Dan, make sure that you are using elevated privileges to run that script. (E.g. via sudo) -- it's a necessity for most LibVMI operations.

Steve

On Aug 11, 2012 9:44 AM, "Dan Smith" <danielsm...@gmail.com> wrote:

Hi, I am attempting to use the PyVMI example file "process-list.py" on one of my VM's under Xen. I am able to retrieve the process list via the LibVMI example, so I can confirm LibVMI is installed correctly. PyVMI also installed without any warnings or errors. 

I receive the following output when I run the command python process-list.py vm01 

Traceback (most recent call last):

  File "./process-list.py", line 70, in <module>

    main(sys.argv)

  File "./process-list.py", line 67, in main

    process_list(vmi)

  File "./process-list.py", line 47, in process_list

    list_head = val_uint64(vmi.read_addr_ksym("PsInitialSystemProcess"))

ValueError: Unable to read memory at specified address

Am I missing a step here? Thanks

--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To view this discussion on the web visit https://groups.google.com/d/msg/vmitools/-/T6T7Rop8_hIJ.
To post to this group, send email to vmit...@googlegroups.com.
To unsubscribe from this group, send email to vmitools+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/vmitools?hl=en.

[Dan Smith]

Hi Steve,

Thanks for your prompt reply. Do I have to use sudo even though I am operating as root? If I now issue the command using sudo I get the following output:

Traceback (most recent call last):

  File "./process-list.py", line 28, in <module>

    import pyvmi

ImportError: libvmi-0.6.so: cannot open shared object file: No such file or directory

I'm pretty sure I encountered this message before when testing the examples posted with LibVMI. I added the following line LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib ; export LD_LIBRARY_PATH to my .bashrc file to fix the error. However it seems to have reappeared, do you know if I need to add the line to any other files?

Dan

[Bryan D. Payne]

> Thanks for your prompt reply. Do I have to use sudo even though I am
> operating as root?

If you're already running the command as root, then sudo isn't required.

Any chance you could put together two sample programs that do nothing
more than a vmi init and then calling the function that is failing?
One in C and one in Python. Then run each with the debug trace
enabled. That should help us see what is really happening under the
hood here.

Cheers,
-bryan

[Dan Smith]

Whilst making the two apps.. I noticed in the python process list example on the function call it is failing at val_uint64(vmi.read_addr_ksym("PsInitialSystemProcess")) Isn't PsInitialSystemProcess a kernel symbol for window VM's only, all my VM's are linux based. 

Anyway heres the debug printout for the python app.

[root@libvmi lancs]# python py-test.py 

LibVMI Version 0.8

--found Xen

LibVMI Mode 2

--got id from name (vm01 --> 1)

**set image_type = vm01

**set hvm to false (PV).

**guest address width is 64 bits

--completed driver init.

     1 |vm01 {

     2 | ostype = "Linux";

     3 | sysmap = "/root/System.map-2.6.32-279.2.1.el6.x86_64";

     4 | linux_name = 0x678;

     5 | linux_tasks = 0x448;

     6 | linux_mm = 0x480;

     7 | linux_pid = 0x4a8;

     8 | linux_pgd = 0x50;

     9 | linux_addr = 0x108;

    10 |}

--got sysmap from config (/root/System.map-2.6.32-279.2.1.el6.x86_64).

--reading in linux offsets from config file.

--got ostype from config (Linux).

**set os_type to Linux.

**set page_offset = 0xc0000000

**set size = 536870912 [0x20000000]

**set paging mode to unknown

**set paging-related fields to 0

**set pae = 1

**set pse = 0

**failed to get MSR_EFER, trying method #2

**found guest address width is 8 bytes; assuming IA32_EFER.LME = 1

**set paging mode to IA-32e paging

**set cr3 = 0x0000000043f02000

--got memory layout.

**set vmi->kpgd (0x0000000043f02000).

--SYM cache set init_task -- 0xffffffff81a8d020

--PTLookup: lookup vaddr = 0xffffffff81a8d468

--PTLookup: dtb = 0x0000000043f02000

--PTLookup pml4e_address = 0x0000000043f02ff8

--MEMORY cache set 0x43f02000

--PTLookup: pml4e = 0x0000000073d28067

--PTLookup: pdpte_address = 0x0000000073d28ff0

--MEMORY cache set 0x73d28000

--PTLookup: pdpte = 0x0000000073d24067

--PTLookup: pde_address = 0x0000000073d24068

--MEMORY cache set 0x73d24000

--PTLookup: pde = 0x0000000075d7a067

--PTLookup: pte_address = 0x0000000075d7a468

--MEMORY cache set 0x75d7a000

--PTLookup: pte = 0x0010000073d22067

--PTLookup: paddr = 0x0000000073d22468

--V2P cache set 0xffffffff81a8d468 -- 0x0000000073d22000 (0x03486ec999f57281)

--MEMORY cache set 0x73d22000

--vmi_read_ksym: vmi_translate_ksym2v failed for 'PsInitialSystemProcess'

Traceback (most recent call last):

  File "py-test.py", line 10, in <module>

    list_head = val_uint64(vmi.read_addr_ksym("PsInitialSystemProcess"))

ValueError: Unable to read memory at specified address

--MEMORY cache cleanup round complete (cache size = 0)

[Steve Maresca]

Yes indeed, you are absolutely correct; sorry about that.

Please use the attached script for Linux; I'll push this into the repository later and rename the examples to be OS specific. Let me know if this works for you.

Steve

[Dan Smith]

Hey not to worry! Thanks for the linux file, just tried it now. It nearly works correctly, I've included the debug output.

--SYM cache hit init_task -- 0xffffffff81a8d020

--V2P cache hit 0xffffffff81a8d468 -- 0x0000000073d22468 (0x03486ec999f57281)

--MEMORY cache hit 0x73d22000

--MEMORY cache hit 0x73d22000

Traceback (most recent call last):

  File "process-list_linux.py", line 27, in <module>

    for pid, procname in list_processes(vmi):

  File "process-list_linux.py", line 15, in list_processes

    pid = vmi.read_32_va(current_process+pidOffset-tasksOffset, 0)

TypeError: cannot concatenate 'str' and 'int' objects

--MEMORY cache cleanup round complete (cache size = 0)

[Dan Smith]

Hi Steve,

I have been for days trying to debug an error I receive when attempting to run the file you posted. Initially I receive an error complaining of:

Traceback (most recent call last):

  File "process-list_linux.py", line 27, in <module>

    for pid, procname in list_processes(vmi):

  File "process-list_linux.py", line 15, in list_processes

    pid = vmi.read_32_va(current_process+pidOffset-tasksOffset, 0)

TypeError: cannot concatenate 'str' and 'int' objects

The troublesome line is: 

pid = vmi.read_32_va(current_process + pidOffset - tasksOffset, 0)

I'm unsure whether the 'processes' variable is being set correctly in the line, or whether it is in the correct format?

processes = vmi.read_addr_va(init_task_va + tasksOffset, 0)

Was you able to run the file on your test rig without errors?

Kind regards

Dan

On Saturday, 11 August 2012 17:40:04 UTC+1, Steve Maresca wrote:

[steven maresca]

Dan,

Ah I believe I know your problem  - please try upgrading your libvmi install to the one current in the repository. This is a bug that I fixed  - did you download the tarball recently (implying that it needs an update) or is your repository checkout on the older side?

Steve

--

You received this message because you are subscribed to the Google Groups "vmitools" group.

To view this discussion on the web visit https://groups.google.com/d/msg/vmitools/-/y4PsCnubr24J.

[Dan Smith]

Hi Steve,

I have been using the tarballs from the downloads page on google code. I have found a git link, is that the correct repo?

Dan

On Saturday, 11 August 2012 14:41:55 UTC+1, Dan Smith wrote:

Hi, I am attempting to use the PyVMI example file "process-list.py" on one of my VM's under Xen. I am able to retrieve the process list via the LibVMI example, so I can confirm LibVMI is installed correctly. PyVMI also installed without any warnings or errors. 

I receive the following output when I run the command python process-list.py vm01 

Traceback (most recent call last):

  File "./process-list.py", line 70, in <module>

    main(sys.argv)

  File "./process-list.py", line 67, in main

    process_list(vmi)

  File "./process-list.py", line 47, in process_list

    list_head = val_uint64(vmi.read_addr_ksym("PsInitialSystemProcess"))

ValueError: Unable to read memory at specified address

[Bryan D. Payne]

> I have been using the tarballs from the downloads page on google code. I
> have found a git link, is that the correct repo?

Should be:
git clone https://code.google.com/p/vmitools/

-bryan

[Dan Smith]

Yeah I've just checked the latest version out. Now running into an issue where the configure file cannot find the package "check" installed. 

Package requirements (check >= 0.9.4), however I have Check 0.9.8 installed through yum? Unfortunatly trying to search google for issues relating to package named check is rather hard.

Any thoughts?

Dan

[Bryan D. Payne]

> Any thoughts?

Others have run into issues with this as well. Not sure what's going
on, however you can make a change that will let you move forward.
Check is only used for unit tests, so you probably don't need that.
I'd just remove the line that reads "PKG_CHECK_MODULES([CHECK], [check
>= 0.9.4])" from configure.ac. Then rerun autogen.sh and configure.

-bryan

[Dan Smith]

Apologies for my late reply, my email had wrongly informed me of having no replies to this thread.

I solved the problem a few days ago by installing the package 'check-devel' which successfully removed the error.