[Vol-users] stuxnet.vmem and VMware

Michael Hale Ligh michael.hale at gmail.com
Tue Nov 8 20:14:50 CST 2011

Hey Scott,

On Mon, Nov 7, 2011 at 9:49 AM, G. Scott Graham <gsg at cs.utoronto.ca> wrote:
> MHL has been helpful in the past, but I thought I would throw this one out
> to a wider audience.
> Simply put, I asked my sysadmin, who has helped me set up my VMware
> environment, to set up an XP SP3 VM and load stuxnet.vmem as the suspended
> memory image. VMware crapped out with "A fault has occurred causing the
> virtual CPU to enter the shutdown state. ..." Does anyone have any insight
> here? Is stuxnet.vmem the suspended memory image of a Stuxnet infected XP
> SP3 machine?

Yes, stuxnet.vmem is from a suspended XPSP3 machine, but the chances
of it working properly when transferred to a new VM is about one in a
million. Assuming your sysadmin set the new VM's memory size to the
size of stuxnet.vmem, you'll still have kernel modules, processes, and
DLLs in the memory dump that may not exist on disk. The pagefile on
your new VM will mismatch with what the memory dump expects to be
there, etc.

> If it had worked, I wanted to get sysinternals running on the VM, so that I
> would have sysinternals and Volatility insight into Stuxnet -- although not
> approaching what Mark Russinovitch was able to show with booting up the
> machine and infecting it from the start. For educational purposes, for the
> class I am teaching.

I'd suggest booting the VM and infecting it from the start, you'll
save a whole lot of headache ;-)


> Thanks for any guidance, VMware or stuxnet. bfn
> --
> Professor G. Scott Graham
> administratively: Dean's Designate for Academic Offences
> academically: Associate Professor, Computer Science and Forensic Science
> University of Toronto Mississauga
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

More information about the Vol-users mailing list