Physical Disk+RAM Dump

[kurapix]

Hello!

I have been trying to search for a solution to get a physical RAM Dump of a VM using VirtualBox but there is no way apparently ...

On VMWare we have the .vmem files for the physical RAM ... but for VirtualBox ...
There are .sav file when suspending the VM but I have not found documentation on this file format in order to be able to write a program to extract the physical RAM from it.

Would be great to have firewire or thunderbolt emulation to allow for memory dump through DMA capability.
Would also be great to be able to insert any other keys combination in order to be able to force a bug check on Windows using the CtrlScrollLock trick. (Not all keyboards have a conveniently accessible Scroll Lock key such as my Logitech Keyboard ...).

The advantages of being able to get a hold of a VM physical RAM is that we can do forensic+security+other specific research on it without having DMA remapping attacks for example (and thus falsified RAM dump).

For the disk part, I managed to obtain a RAW image of a virtualbox hard disk image using this command:

Code: Select all

VBoxManage internalcommands converthd -srcformat FORMAT1 -dstformat FORMAT2 SRCFILE DSTFILE

Cheers,

Thank you in advance for your answers,

kurapix

[mpack]

You should not rely on unsupported internal commands when there is a supported and documented alternative: and in the case there is.

Use :-

Code: Select all

VBoxManage clonehd <infile> <outfile> --format RAW

The above is documented in the user manual. You should be able to find documentation of the .sav file format in the VBox sources. You can certainly find documentation of the VDI format there, use of which might be less cumbersome than converting to raw.

[wytmoon]

Sorry for the old post bump, but is there a way to dump the VM's disk image into memory?

[mpack]

I'm not sure what you mean. If "memory" means RAM then most disks are larger than your computers RAM and therefore will not fit. Also we typically say "load" rather than "dump" when we fetch data into RAM - dump usually means the opposite.

If all you want to do is convert a disk image to raw format, the command was already given by me above.

[Ramshankar]

Sorry for replying to an old post, but I found this through some slightly unrelated google searches. I'll answer part of the original poster's question that wasn't answered and perhaps others searching who end up here may also benefit.

I have been trying to search for a solution to get a physical RAM Dump of a VM using VirtualBox but there is no way apparently ...

You can obtain the guest memory using VirtualBox's[1] debugging facilities. From the VM debugger you can use the 'writecore' command or you from the command line you can use VBoxManage debugvm. See http://www.virtualbox.org/manual/ch08.h ... ge-debugvm and http://www.virtualbox.org/manual/ch12.h ... ore-format for the EL64 file format.

Hope that helps.

[1] I can't remember the exact VBox version which introduced this facility but 4.2.x definitely has it (and probably much earlier).