Ticket #10222 (new enhancement)
Please implement readPhysicalMemory or a raw memory dumper
|Reported by:||luizluca||Owned by:|
|Version:||VirtualBox 4.1.8||Keywords:||memory dump, debug|
We are studying the use of VBox in a forensic course. However, the access to VM memory is critical.
I found many references at the forum about people trying to get the VM memory contents. However, no one provided a solution. I still can get the memory, treating it as a real machine, but that would taint the VM memory with the memory dumper. The best solution would be to collect the VM memory using the VM solution resources, specially in a paused state. The best solution would be to have a simple read function that could access a Snapshot.
The VBOX SDK guide describes the function readPhysicalMemory and notes that it is not developed in 4.0.0. We are already in 4.1.8 and it is still not imeplemented. I got this error message when running a python script that calls this function:
0x80004001 (Method ReadPhysicalMemory is not implemented)
Please, could you please provide the implementation of this function in the next vbox release. Alternatively, this could be implemented in a VBoxManage debugvm option, specially if considering snapshots. The needed function is a raw VM memory dump.
Vmware Server/Workstation, for example, stores the memory in a flat vmem file. Libvirt has the virDomainMemoryPeek API function. Just Vbox lacks at this point.
Changed 5 years ago by luizluca
- attachment patch-implement_MachineDebugger_ReadPhysicalMemory.patch added