Tamas, Nir, Michael,

Thank you all for the replies. I suspected something similar about Vmware not synching the vmem file too often.

Michael,

WinpMem seems to be a very good method (from the video), I deliberately didn't look into the source code yet, because I think I need to develop something similar, and would like to do so from scratch. We cannot use any existing code. I tried to avoid writing a driver since it complicated maintenance and release cycles, typically extending them, but if there is no easy way, perhaps that is the way to go.

For my previous driver experience (and please correct me if I am wrong), this driver needs to interpret Windows memory management and open sections of memory and furnish the contents and contexts through IOCTLs to the user mode service for further analysis.

A few quick questions :

1. This can be done completely agentless? Which means we need to insert nothing inside the VMs? Everything stays in the hyper-visor.
2. Have you guys tried constructing the call stack for such a break point? So when one hits a memory location and that is a function call, I would like to interpret the frames to get a call stack for the function call? (perhaps this is already mentioned in the video, and I didnt pay enough attention)


Thanks

amit








On Sat, Jun 1, 2013 at 3:33 AM, Michael Cohen <scudette@gmail.com> wrote:
Hi ab,
  You can use volatility tech preview with live systems by simply loading the winpmem driver (using the -l option) and then pointing volatility at the live memory (i.e. the \\.\pmem device). You can also turn on write support in the driver, and get volatility to write at the memory location. It should be quite simple to insert instrumentation stubs into code in that case.

See the recent dfir workshop where we did just this:

http://www.youtube.com/watch?v=9aC7yIYwvAY

Michael.


On 31 May 2013 17:22, A B <amitrajitb@gmail.com> wrote:
All,

This is my first post in this forum, and I am also very new to this website, so please excuse my ignorance.

This is a fantastic project no doubt. 


Now, coming to my questions:

1. Is it possible to run volatility on a running 'live' VM's memory? That is, assuming that I have vmware work station running, can I use the live vmem file as input and get reliavble outputs?

2. If one is possible, then is it possible to generate a breakpoint or get a call back when a particular  memory location is hit? I ask this because, assuming that an executable is loaded in certain pages inside the vmem, and I want to get notified when a particular function of that loaded executable is called, this wuld mean that when the virtual CPU executes the first instruction of that function I need a callback, is that possible?

thanks in advance...

--

- ab

_______________________________________________
Vol-dev mailing list
Vol-dev@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev





--

- ab