11:22 a.m.
All,
This is my first post in this forum, and I am also very new to this
website, so please excuse my ignorance.
This is a fantastic project no doubt.
Now, coming to my questions:
1. Is it possible to run volatility on a running 'live' VM's memory? That
is, assuming that I have vmware work station running, can I use the live
vmem file as input and get reliavble outputs?
2. If one is possible, then is it possible to generate a breakpoint or get
a call back when a particular memory location is hit? I ask this because,
assuming that an executable is loaded in certain pages inside the vmem, and
I want to get notified when a particular function of that loaded executable
is called, this wuld mean that when the virtual CPU executes the first
instruction of that function I need a callback, is that possible?
thanks in advance...
--
- ab
3:30 p.m.
Not sure about VMware but you can do both with Xen and LibVMI (
https://code.google.com/p/vmitools/)
Tamas
On Fri, May 31, 2013 at 5:22 PM, A B <amitrajitb(a)gmail.com> wrote:
All,
This is my first post in this forum, and I am also very new to this
website, so please excuse my ignorance.
This is a fantastic project no doubt.
Now, coming to my questions:
1. Is it possible to run volatility on a running 'live' VM's memory? That
is, assuming that I have vmware work station running, can I use the live
vmem file as input and get reliavble outputs?
2. If one is possible, then is it possible to generate a breakpoint or get
a call back when a particular memory location is hit? I ask this because,
assuming that an executable is loaded in certain pages inside the vmem, and
I want to get notified when a particular function of that loaded executable
is called, this wuld mean that when the virtual CPU executes the first
instruction of that function I need a callback, is that possible?
thanks in advance...
--
- ab
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
3:49 p.m.
AFAIK you can't rely on vmware to sync files with live memory.
it uses them mostly to save states when the machine is suspended.
you could suspend, modify, resume but it'll be a slow process.
On Fri, May 31, 2013 at 10:30 PM, Tamas Lengyel
<tamas.k.lengyel(a)gmail.com>wrote:
Not sure about VMware but you can do both with Xen and
LibVMI (
https://code.google.com/p/vmitools/)
Tamas
On Fri, May 31, 2013 at 5:22 PM, A B <amitrajitb(a)gmail.com> wrote:
All,
This is my first post in this forum, and I am also very new to this
website, so please excuse my ignorance.
This is a fantastic project no doubt.
Now, coming to my questions:
1. Is it possible to run volatility on a running 'live' VM's memory? That
is, assuming that I have vmware work station running, can I use the live
vmem file as input and get reliavble outputs?
2. If one is possible, then is it possible to generate a breakpoint or
get a call back when a particular memory location is hit? I ask this
because, assuming that an executable is loaded in certain pages inside the
vmem, and I want to get notified when a particular function of that loaded
executable is called, this wuld mean that when the virtual CPU executes the
first instruction of that function I need a callback, is that possible?
thanks in advance...
--
- ab
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4138
days inactive
4138
days old
vol-dev@lists.volatilityfoundation.org
2 comments
3 participants
participants (3)
-
A B -
nir izraeli -
Tamas Lengyel