Re: Aw: Re: [Vol-users] KVM and Memory Dump

6 Oct 2013

      On 04-10-13 09:50, chris-2012(a)arcor.de wrote:
...
  Hi Guanglin,

 thank you for your reply! I'm absolutely newbie, so my questions are probably a bit
tedious.

   Libvmi
seems a bit complicated to install, at least compared to the
 vboxmanage debugvm command. Is libvmi required for KVM or is it possible  to
  use virsh dump?
  You should use LibVMI just for "online live" forensics over a virtual
 machine.

 If you merely need an offline memory dump of a KVM virtual machine, feel
 free to use virsh dump without LibVMI.  I'm not sure, if I understand the
difference. When I run the victim in a VM, I can hit virsh dump in another host terminal
window and get a snapshot of the VM at this point in time? When I tried this a little
while ago with an Windows 7 x64 SP0 image, it didn't work. So I thought this method is
not suitable... The image format respective profile was recognized with imageinfo
correctly. The host is CentOS 6.4.

 With libvmi I would get continuous updates?

 Chris
 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Hi list,

Same here, I'm trying to get the KVM memory dump to work... but it's weird.
Situation: KVM + libvirt + volatility (from SVN trunk tonight) and a VM 
running WinXP SP3x86:

$ virsh dump winXP-clone winXP-clone.mem  --memory-only

Both tried with and without --memory-only

$ vol.py -f winXP-clone.mem  imageinfo
Volatile Systems Volatility Framework 2.3_beta
Determining profile based on KDBG search...

           Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated 
with WinXPSP2x86)
                      AS Layer1 : FileAddressSpace 
(/home/boudewijn/winXP-clone.mem)
                       PAE type : No PAE
                            DTB : 0xaff000L
                           KDBG : 0x545e5c
           Number of Processors : 0
      Image Type (Service Pack) : -
              KUSER_SHARED_DATA : 0xffdf0000

boudewijn@john-ThinkPad-X301 ~ $ vol.py -f winXP-clone.mem  psscan 
--profile=WinXPSP2x86
Volatile Systems Volatility Framework 2.3_beta
Offset(P)  Name                PID   PPID PDB        Time 
created                   Time exited
---------- ---------------- ------ ------ ---------- 
------------------------------ ------------------------------
No suitable address space mapping found
Tried to open image as:
  MachOAddressSpace: mac: need base
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  HPAKAddressSpace: No base Address Space
  VirtualBoxCoreDumpElf64: No base Address Space
  VMWareSnapshotFile: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  AMD64PagedMemory: No base Address Space
  IA32PagedMemoryPae: No base Address Space
  IA32PagedMemory: No base Address Space
  MachOAddressSpace: MachO Header signature invalid
  LimeAddressSpace: Invalid Lime header signature
  WindowsHiberFileSpace32: No xpress signature found
  WindowsCrashDumpSpace64: Header signature invalid
  HPAKAddressSpace: Invalid magic found
  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
  VMWareSnapshotFile: Invalid VMware signature: 0x464c457f
  WindowsCrashDumpSpace32: Header signature invalid
  AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
  IA32PagedMemoryPae: Failed valid Address Space check
  IA32PagedMemory: Failed valid Address Space check
  FileAddressSpace: Must be first Address Space
  ArmAddressSpace: Profile does not have valid Address Space check

boudewijn@john-ThinkPad-X301 ~ $ vol.py -f winXP-clone.mem  psscan 
--profile=WinXPSP3x86
Volatile Systems Volatility Framework 2.3_beta
Offset(P)  Name                PID   PPID PDB        Time 
created                   Time exited
---------- ---------------- ------ ------ ---------- 
------------------------------ ------------------------------
No suitable address space mapping found
Tried to open image as:
  MachOAddressSpace: mac: need base
  LimeAddressSpace: lime: need base
  WindowsHiberFileSpace32: No base Address Space
  WindowsCrashDumpSpace64: No base Address Space
  HPAKAddressSpace: No base Address Space
  VirtualBoxCoreDumpElf64: No base Address Space
  VMWareSnapshotFile: No base Address Space
  WindowsCrashDumpSpace32: No base Address Space
  AMD64PagedMemory: No base Address Space
  IA32PagedMemoryPae: No base Address Space
  IA32PagedMemory: No base Address Space
  MachOAddressSpace: MachO Header signature invalid
  LimeAddressSpace: Invalid Lime header signature
  WindowsHiberFileSpace32: No xpress signature found
  WindowsCrashDumpSpace64: Header signature invalid
  HPAKAddressSpace: Invalid magic found
  VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
  VMWareSnapshotFile: Invalid VMware signature: 0x464c457f
  WindowsCrashDumpSpace32: Header signature invalid
  AMD64PagedMemory: Incompatible profile WinXPSP3x86 selected
  IA32PagedMemoryPae: Failed valid Address Space check
  IA32PagedMemory: Failed valid Address Space check
  FileAddressSpace: Must be first Address Space
  ArmAddressSpace: Profile does not have valid Address Space check

So despite imageinfo having a correct guess the profile doesn't fit. 
What am I doing wrong?
  Being able to analyse KVM images using libvirt would be quiet awesome.

Cheers,

Boudewijn

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: Aw: Re: [Vol-users] KVM and Memory Dump