Re: Re: [Vol-users] KVM and Memory Dump
Guanglin Xu
4 Oct
2013
4 Oct
'13
8:36 a.m.
2013/10/4 <chris-2012(a)arcor.de>
Hi Guanglin,
thank you for your reply! I'm absolutely newbie, so my questions are
probably a bit tedious.
I'm not sure whether your current libvirt version supports kvm dump well.
However, there is another method. If you LibVirt supports QMP command, try :
virsh qemu-monitor-command [your vm name]'{ "execute":
"pmemsave",
"arguments": { "val": 0, "size": [the memory size of the vm,
in KB],
"filename": "[/path/of/the/dump]" } }'
> Libvmi seems a bit complicated to install,
at least compared to the
> vboxmanage debugvm command. Is libvmi required for KVM or is it
possible
to
I'm not sure, if I understand the difference. When I run the victim in a
VM, I can hit virsh dump in another host terminal window and get a snapshot
of the VM at this point in time? When I tried this a little while ago with
an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not
suitable... The image format respective profile was recognized with
imageinfo correctly. The host is CentOS 6.4.
use virsh dump?
You should use LibVMI just for "online live" forensics over a virtual
machine.
If you merely need an offline memory dump of a KVM virtual machine, feel
free to use virsh dump without LibVMI.
With libvmi I would get continuous updates?
The feature I refereed to, however, is still under development.
Guanglin
Chris
Attachments:
- attachment.html (text/html — 2.5 KB)