VirtualBox

Opened 12 years ago

Last modified 12 years ago

#10222 new enhancement

Please implement readPhysicalMemory or a raw memory dumper

Reported by: Luiz Angelo Daros de Luca Owned by:
Component: VM control Version: VirtualBox 4.1.8
Keywords: memory dump, debug Cc:
Guest type: other Host type: Linux

Description

Hello,

We are studying the use of VBox in a forensic course. However, the access to VM memory is critical.

I found many references at the forum about people trying to get the VM memory contents. However, no one provided a solution. I still can get the memory, treating it as a real machine, but that would taint the VM memory with the memory dumper. The best solution would be to collect the VM memory using the VM solution resources, specially in a paused state. The best solution would be to have a simple read function that could access a Snapshot.

The VBOX SDK guide describes the function readPhysicalMemory and notes that it is not developed in 4.0.0. We are already in 4.1.8 and it is still not imeplemented. I got this error message when running a python script that calls this function:

0x80004001 (Method ReadPhysicalMemory is not implemented)

Please, could you please provide the implementation of this function in the next vbox release. Alternatively, this could be implemented in a VBoxManage debugvm option, specially if considering snapshots. The needed function is a raw VM memory dump.

Vmware Server/Workstation, for example, stores the memory in a flat vmem file. Libvirt has the virDomainMemoryPeek API function. Just Vbox lacks at this point.

Thanks,

Attachments (2)

patch-implement_MachineDebugger_ReadPhysicalMemory.patch (1.3 KB ) - added by Luiz Angelo Daros de Luca 12 years ago.
Implemented MachineDebugger::ReadPhysicalMemory using PGMPhysSimpleReadGCPhys
vboxdump.py (3.0 KB ) - added by Luiz Angelo Daros de Luca 12 years ago.
Sample python script that uses the ReadPhysicalMemory to dump VM memory

Download all attachments as: .zip

Change History (7)

comment:1 by Frank Mehnert, 12 years ago

So where is your patch?

Also: Are you aware of the built-in VM debugger?

comment:2 by aeichner, 12 years ago

The VM debugger has this feature. Start the VM with "VirtualBox --dbg --startvm <VM name>". Click on the "Debug" menu -> "Command line...". Then use ".pgmphystofile" to save the physical memory to the given file.

comment:3 by Luiz Angelo Daros de Luca, 12 years ago

@aeichner, exactly what I needed. However, I wish that it would be avaiable in "VBoxManage debugvm".

@frank, I'll try to provide the patch to add "dumpguestmem" to "VBoxManage debugvm"

Thanks for both,

by Luiz Angelo Daros de Luca, 12 years ago

Implemented MachineDebugger::ReadPhysicalMemory using PGMPhysSimpleReadGCPhys

by Luiz Angelo Daros de Luca, 12 years ago

Attachment: vboxdump.py added

Sample python script that uses the ReadPhysicalMemory to dump VM memory

comment:4 by Luiz Angelo Daros de Luca, 12 years ago

I implemented readPhysicalMemory using PGMPhysSimpleReadGCPhys. I don't know if i did something wrong but it works. Well, patch is attached.

The only problem is with region between 0xa000 and 0xbffff. When I try to read it using PGMPhysSimpleReadGCPhys, it returns the error VERR_PGM_PHYS_PAGE_RESERVED (-1618). Does this have something with video memory?

I have some questions:

  • Is this expected to occur for the function readPhysicalMemory?
  • Is this expected to occur for the function PGMPhysSimpleReadGCPhys?
  • Should the readPhysicalMemory caller treat the errors? Docs does not make it clearer.
  • Is PGMPhysSimpleReadGCPhys the wrong function to use?

The pgmphystofile method uses too much internal functions to be usable for an external API call. However, it treats some special cases filling the output page with zeros. Should readPhysicalMemory or PGMPhysSimpleReadGCPhys also treat this cases? The error is specially strange as readPhysicalMemory and PGMPhysSimpleReadGCPhys are byte based and not page based. They could have an option to fill the output on error or someway inform the caller that the region requested includes some special pages that are unreadable.

Also, I added a simple script in python already deals with the reserved error. It stops the machine, dumps the memory and resumes it. It is slow but it works. Maybe using a bigger buffer per step should increase the speed but I need to deal first with the reserved page error in order to go over the page boundary.

comment:5 by Luiz Angelo Daros de Luca, 12 years ago

So, is the patch good to go? Need some improvements?

Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use