Aw: Re: [Vol-users] KVM and Memory Dump

Boudewijn Ector boudewijn at boudewijnector.nl
Sun Oct 6 16:16:04 CDT 2013


On 04-10-13 09:50, chris-2012 at arcor.de wrote:
> Hi Guanglin,
>
> thank you for your reply! I'm absolutely newbie, so my questions are probably a bit tedious.
>
>>> Libvmi seems a bit complicated to install, at least compared to the
>>> vboxmanage debugvm command. Is libvmi required for KVM or is it possible
>> to
>>> use virsh dump?
>>>
>> You should use LibVMI just for "online live" forensics over a virtual
>> machine.
>>
>> If you merely need an offline memory dump of a KVM virtual machine, feel
>> free to use virsh dump without LibVMI.
> I'm not sure, if I understand the difference. When I run the victim in a VM, I can hit virsh dump in another host terminal window and get a snapshot of the VM at this point in time? When I tried this a little while ago with an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not suitable... The image format respective profile was recognized with imageinfo correctly. The host is CentOS 6.4.
>
> With libvmi I would get continuous updates?
>
> Chris
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi list,



Same here, I'm trying to get the KVM memory dump to work... but it's weird.
Situation: KVM + libvirt + volatility (from SVN trunk tonight) and a VM 
running WinXP SP3x86:



$ virsh dump winXP-clone winXP-clone.mem  --memory-only

Both tried with and without --memory-only

$ vol.py -f winXP-clone.mem  imageinfo
Volatile Systems Volatility Framework 2.3_beta
Determining profile based on KDBG search...

           Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated 
with WinXPSP2x86)
                      AS Layer1 : FileAddressSpace 
(/home/boudewijn/winXP-clone.mem)
                       PAE type : No PAE
                            DTB : 0xaff000L
                           KDBG : 0x545e5c
           Number of Processors : 0
      Image Type (Service Pack) : -
              KUSER_SHARED_DATA : 0xffdf0000


boudewijn at john-ThinkPad-X301 ~ $ vol.py -f winXP-clone.mem  psscan 
--profile=WinXPSP2x86
Volatile Systems Volatility Framework 2.3_beta
Offset(P)  Name                PID   PPID PDB        Time 
created                   Time exited
---------- ---------------- ------ ------ ---------- 
------------------------------ ------------------------------
No suitable address space mapping found
Tried to open image as:
  MachOAddressSpace: mac: need base
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  HPAKAddressSpace: No base Address Space
  VirtualBoxCoreDumpElf64: No base Address Space
  VMWareSnapshotFile: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  AMD64PagedMemory: No base Address Space
  IA32PagedMemoryPae: No base Address Space
  IA32PagedMemory: No base Address Space
  MachOAddressSpace: MachO Header signature invalid
  LimeAddressSpace: Invalid Lime header signature
  WindowsHiberFileSpace32: No xpress signature found
  WindowsCrashDumpSpace64: Header signature invalid
  HPAKAddressSpace: Invalid magic found
  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
  VMWareSnapshotFile: Invalid VMware signature: 0x464c457f
  WindowsCrashDumpSpace32: Header signature invalid
  AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
  IA32PagedMemoryPae: Failed valid Address Space check
  IA32PagedMemory: Failed valid Address Space check
  FileAddressSpace: Must be first Address Space
  ArmAddressSpace: Profile does not have valid Address Space check

boudewijn at john-ThinkPad-X301 ~ $ vol.py -f winXP-clone.mem  psscan 
--profile=WinXPSP3x86
Volatile Systems Volatility Framework 2.3_beta
Offset(P)  Name                PID   PPID PDB        Time 
created                   Time exited
---------- ---------------- ------ ------ ---------- 
------------------------------ ------------------------------
No suitable address space mapping found
Tried to open image as:
  MachOAddressSpace: mac: need base
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  HPAKAddressSpace: No base Address Space
  VirtualBoxCoreDumpElf64: No base Address Space
  VMWareSnapshotFile: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  AMD64PagedMemory: No base Address Space
  IA32PagedMemoryPae: No base Address Space
  IA32PagedMemory: No base Address Space
  MachOAddressSpace: MachO Header signature invalid
  LimeAddressSpace: Invalid Lime header signature
  WindowsHiberFileSpace32: No xpress signature found
  WindowsCrashDumpSpace64: Header signature invalid
  HPAKAddressSpace: Invalid magic found
  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
  VMWareSnapshotFile: Invalid VMware signature: 0x464c457f
  WindowsCrashDumpSpace32: Header signature invalid
  AMD64PagedMemory: Incompatible profile WinXPSP3x86 selected
  IA32PagedMemoryPae: Failed valid Address Space check
  IA32PagedMemory: Failed valid Address Space check
  FileAddressSpace: Must be first Address Space
  ArmAddressSpace: Profile does not have valid Address Space check





So despite imageinfo having a correct guess the profile doesn't fit. 
What am I doing wrong?
  Being able to analyse KVM images using libvirt would be quiet awesome.


Cheers,


Boudewijn


More information about the Vol-users mailing list