[Vol-users] KVM and Memory Dump

Guanglin Xu mzguanglin at gmail.com
Fri Oct 4 07:36:12 CDT 2013

2013/10/4 <chris-2012 at arcor.de>

> Hi Guanglin,
> thank you for your reply! I'm absolutely newbie, so my questions are
> probably a bit tedious.
> > > Libvmi seems a bit complicated to install, at least compared to the
> > > vboxmanage debugvm command. Is libvmi required for KVM or is it
> possible
> > to
> > > use virsh dump?
> > >
> > You should use LibVMI just for "online live" forensics over a virtual
> > machine.
> >
> > If you merely need an offline memory dump of a KVM virtual machine, feel
> > free to use virsh dump without LibVMI.
> I'm not sure, if I understand the difference. When I run the victim in a
> VM, I can hit virsh dump in another host terminal window and get a snapshot
> of the VM at this point in time? When I tried this a little while ago with
> an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not
> suitable... The image format respective profile was recognized with
> imageinfo correctly. The host is CentOS 6.4.

I'm not sure whether your current libvirt version supports kvm dump well.

However, there is another method. If you LibVirt supports QMP command, try :
virsh qemu-monitor-command [your vm name]'{ "execute": "pmemsave",
"arguments": { "val": 0, "size": [the memory size of the vm, in KB],
"filename": "[/path/of/the/dump]" } }'

> With libvmi I would get continuous updates?

The feature I refereed to, however, is still under development.


> Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131004/ff94c6c9/attachment.html

More information about the Vol-users mailing list