Re: [Vol-users] VM image of memory- This is not a VMEM file

When imaging memory on a live VM system to do analysis for malware Volatililty does not recognize it (see below). Is there anyone on this mailing list that has the knowledge on how I can remedy this without shutting the system down and grabbing the VMEM file?

Is it possible to substitute a valid DTB from another image into the memdump of a live VM machine with a Hex editor? And if it can be done does anyone know the addresses of that space to take out and substitute? I hope that made sense...... If you look at a normal image of memory in a hex editor you can clearly see the difference between that and a VM dump from a live system, there seems to be some extra padded stuff right up front. Volatile Systems Volatility Framework 2.0 No suitable address space mapping found Tried to open image as:  WindowsHiberFileSpace32: No base Address Space  WindowsCrashDumpSpace32: No base Address Space  JKIA32PagedMemory: No base Address Space  JKIA32PagedMemoryPae: No base Address Space  IA32PagedMemoryPae: Module disabled  IA32PagedMemory: Module disabled  WindowsHiberFileSpace32: No xpress signature fou  WindowsCrashDumpSpace32: Header signature invali  JKIA32PagedMemory: No valid DTB found  JKIA32PagedMemoryPae: No valid DTB found  IA32PagedMemoryPae: Module disabled  IA32PagedMemory: Module disabled  FileAddressSpace: Must be first Address Space Thanks Lou _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users