When imaging memory on a live VM system to do analysis for malware Volatililty does not recognize it (see below). Is there anyone on this mailing list that has the knowledge on how I can remedy this without shutting the system down and grabbing the VMEM file?

Is it possible to substitute a valid DTB from another image into the memdump of a live VM machine with a Hex editor? And if it can be done does anyone know the addresses of that space to take out and substitute? I hope that made sense......

If you look at a normal image of memory in a hex editor you can clearly see the difference between that and a VM dump from a live system, there seems to be some extra padded stuff right up front.

Volatile Systems Volatility Framework 2.0

No suitable address space mapping found

Tried to open image as:

 WindowsHiberFileSpace32: No base Address Space

 WindowsCrashDumpSpace32: No base Address Space

 JKIA32PagedMemory: No base Address Space

 JKIA32PagedMemoryPae: No base Address Space

 IA32PagedMemoryPae: Module disabled

 IA32PagedMemory: Module disabled

 WindowsHiberFileSpace32: No xpress signature fou

 WindowsCrashDumpSpace32: Header signature invali

 JKIA32PagedMemory: No valid DTB found

 JKIA32PagedMemoryPae: No valid DTB found

 IA32PagedMemoryPae: Module disabled

 IA32PagedMemory: Module disabled

 FileAddressSpace: Must be first Address Space

Thanks

Lou