Recently I have been experiencing some problems with VMWare. It looks like they are not maintaining the free version as well as they are ought to and bugs start to arise. With some of my VMs the mouse pointer was completely unresponsive so I decided to switch to VirtualBox. After installing the software and porting my VMs I gave VirtualBox a try and it worked like a charm. It was only when I started my first bug-hunting project after the change that I noticed there was no support for physical memory dumps.
Time ago I started using qemu for development. It had support for a gcc stub out of the box which allowed me to debug real and protected mode code as well as to dump the physical memory of a VM after a hard kernel crash. At some point a friend of mine told me that VMWare could do exactly the same and it was way faster so I tried it. Now I’m playing with VirtualBox. It has an integrated debugger that works pretty well but there is no “dump memory” command.
When I faced this problem I started thinking of a way to dump the memory of a VM independently of it being VMWare, qemu, VirtualBox or any other. One thing that all the Virtual Machine Monitors (VMMs) I know have in common is that they all allocate large amounts of memory to emulate the guest’s physical RAM. This makes sense because this is the only way to keep a low memory access overhead. If we knew the exact mapping between the allocated memory and the VM’s physical address space then we could just attach a debugger to the VM process and dump the relevant pages. To achieve this I used a really simple procedure:
1. Create an x86 boot sector that marks all memory pages above 1MB
2. Boot the VM from the newly created boot sector
3. Attach to the VM process and stop it
4. Identify all the pages and fill in a mapping structure
5. Let the VM continue booting from the next drive available
After the last step we can stop the VM at any time we want and dump the memory region of our choice. I have written a little tool that does just this. Here you have a video showing how it works:
I decided to only present the video in this post, as the coding of the tool turned out to be a bit more complicated that I thought at first. I will split the walk-through into several posts about real mode coding, memory scanning and parent-child interactions when ptracing a process.
Enjoy the video and happy hacking!
Comments (0)