VirtualBox

Ticket #10222 (new enhancement)

Opened 2 years ago

Last modified 2 years ago

Please implement readPhysicalMemory or a raw memory dumper

Reported by: luizluca Owned by:
Priority: major Component: VM control
Version: VirtualBox 4.1.8 Keywords: memory dump, debug
Cc: Guest type: other
Host type: Linux

Description

Hello,

We are studying the use of VBox in a forensic course. However, the access to VM memory is critical.

I found many references at the forum about people trying to get the VM memory contents. However, no one provided a solution. I still can get the memory, treating it as a real machine, but that would taint the VM memory with the memory dumper. The best solution would be to collect the VM memory using the VM solution resources, specially in a paused state. The best solution would be to have a simple read function that could access a Snapshot.

The VBOX SDK guide describes the function readPhysicalMemory and notes that it is not developed in 4.0.0. We are already in 4.1.8 and it is still not imeplemented. I got this error message when running a python script that calls this function:

0x80004001 (Method ReadPhysicalMemory is not implemented)

Please, could you please provide the implementation of this function in the next vbox release. Alternatively, this could be implemented in a VBoxManage debugvm option, specially if considering snapshots. The needed function is a raw VM memory dump.

Vmware Server/Workstation, for example, stores the memory in a flat vmem file. Libvirt has the virDomainMemoryPeek API function. Just Vbox lacks at this point.

Thanks,

Attachments

patch-implement_MachineDebugger_ReadPhysicalMemory.patch Download (1.3 KB) - added by luizluca 2 years ago.
Implemented MachineDebugger::ReadPhysicalMemory using PGMPhysSimpleReadGCPhys
vboxdump.py Download (3.0 KB) - added by luizluca 2 years ago.
Sample python script that uses the ReadPhysicalMemory to dump VM memory

Change History

comment:1 Changed 2 years ago by frank

So where is your patch?

Also: Are you aware of the built-in VM debugger?

comment:2 Changed 2 years ago by aeichner

The VM debugger has this feature. Start the VM with "VirtualBox --dbg --startvm <VM name>". Click on the "Debug" menu -> "Command line...". Then use ".pgmphystofile" to save the physical memory to the given file.

comment:3 Changed 2 years ago by luizluca

@aeichner, exactly what I needed. However, I wish that it would be avaiable in "VBoxManage debugvm".

@frank, I'll try to provide the patch to add "dumpguestmem" to "VBoxManage debugvm"

Thanks for both,

Changed 2 years ago by luizluca

Implemented MachineDebugger::ReadPhysicalMemory using PGMPhysSimpleReadGCPhys

Changed 2 years ago by luizluca

Sample python script that uses the ReadPhysicalMemory to dump VM memory

comment:4 Changed 2 years ago by luizluca

I implemented readPhysicalMemory using PGMPhysSimpleReadGCPhys. I don't know if i did something wrong but it works. Well, patch is attached.

The only problem is with region between 0xa000 and 0xbffff. When I try to read it using PGMPhysSimpleReadGCPhys, it returns the error VERR_PGM_PHYS_PAGE_RESERVED (-1618). Does this have something with video memory?

I have some questions:

  • Is this expected to occur for the function readPhysicalMemory?
  • Is this expected to occur for the function PGMPhysSimpleReadGCPhys?
  • Should the readPhysicalMemory caller treat the errors? Docs does not make it clearer.
  • Is PGMPhysSimpleReadGCPhys the wrong function to use?

The pgmphystofile method uses too much internal functions to be usable for an external API call. However, it treats some special cases filling the output page with zeros. Should readPhysicalMemory or PGMPhysSimpleReadGCPhys also treat this cases? The error is specially strange as readPhysicalMemory and PGMPhysSimpleReadGCPhys are byte based and not page based. They could have an option to fill the output on error or someway inform the caller that the region requested includes some special pages that are unreadable.

Also, I added a simple script in python already deals with the reserved error. It stops the machine, dumps the memory and resumes it. It is slow but it works. Maybe using a bigger buffer per step should increase the speed but I need to deal first with the reserved page error in order to go over the page boundary.

comment:5 Changed 2 years ago by luizluca

So, is the patch good to go? Need some improvements?

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use