Mathieu Tarral

Happened again, on `Windows 1703`: ~~~ 2020-02-05 21:42:25,167 WARNING:hooks.filesystem.FilesystemHook:libguestfs failed to list entries of /System Volume Information directory: file receive cancelled by daemon 2020-02-05 21:42:25,234 WARNING:hooks.filesystem.FilesystemHook:libguestfs failed to list entries...

Bugs have been reported on RedHat Bugzilla: - [file receive cancelled by daemon](https://bugzilla.redhat.com/show_bug.cgi?id=1798767) - [Input/output error](https://bugzilla.redhat.com/show_bug.cgi?id=1798768)

From what I can see from the LeechCore call, it's trying to read `0xf00000` bytes at physical address `0x100000` ~~~C #10 0x00007ffff7e942e9 in DeviceMicrovmi_ReadContigious (ctxRC=0x7ffff3bbd010) at leechcore_device_microvmi.c:14 14 if (!microvmi_read_physical(driver,...

As a workaround I'm splitting the read by 4K, and it seems to work. So the `0xf00000` read size was definitely the issue ! :wink:

@asabellico thanks for trying the address space ! for the case 1) try to enable some debug output on libvmi; edit `libvmi/debug.h` and recompile/install libvmi. Xen should be handled properly....

You are hitting this issue i reported on libvmi when i was testing Rekall on Xen: https://github.com/libvmi/libvmi/issues/579 I "fixed" it by calling a new API called `read_pa_padded`, which cannot fail,...

Ok, i'm wondering why your `zread` uses `read_pa`. in the code that i pushed: https://github.com/volatilityfoundation/volatility/pull/500/files#diff-27e6b7a9f0c1c6ac8f1e83ddecb6b330R86

@asabellico good news :) What about my questions about the implementation details ?

Maybe @asabellico do you know any Volatility core developers that could help me ?

Ping, is there a core developer to review this PR ?