Hi all

I am wanting to perform memory introspection in my xen setup. I have been using libvmi with volatility to analysis memory dumps of a domU. I have done and tested it in Dom0 and it works.

I now want to create a similar setup in a pv domU but i am unable to get libVMI working,.

Since i can use xl dump-core <domid> <filename> in my pv to extract any hvm dump. I am using xsm and i have added all the necessary rules for memory extraction.

This is the command i use to analysis the dump extracted using xl dump-core
note: i created the   Linuxkbeastx86 profile to the kernel i have infecting  kbeast and this profile worked in dom0 when i used libVMI dump memory but in the pv it does not, also tested xl dump with  volatility in dom0 and it did not work.

So can volatility process xl dump ?

below is the example out put i get

python /root/Volatility/vol.py -f /root/kbeastDump --profile=Linuxkbeastx86 linux_check_modules
Volatility Foundation Volatility Framework 2.3.1
Module Name
-----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 PyVmiAddressSpace: Location doesn't start with vmi://
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF error: did not find any PT_NOTE segment with VBCORE
 VMWareSnapshotFile: Invalid VMware signature: 0x464c457f
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile Linuxkbeastx86 selected
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 PyVmiAddressSpace: Must be first Address Space
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check


if anyone could give me some advice on this

Thank you