Solved: Access Guest machine physical memory

amirsh · ‎05-18-2009

Hey,

I want to access a guest machine physical memory (guest-RAM), without any changes to the guest OS.

I want to create a dump of all the ram, or at least scan it for forensic data.

I thought about writing a program to run the ESX server (service console) and to dump the vmware process memory, for example.

My goal is to search for signatures inside the guest-RAM, and as such I don't care if I look up on entire guest process memory (which includes more than the RAM)

Any ideas?

ksc · ‎05-28-2009

This is a very interesting subject and I think there are ways for you to dump the memory of the VM into the .vswp file provided or even into a .vmss file. The first requires you to send signals to the appropriate aspect of the VM and the second requires you to just suspend the VM, the suspension will create a memory file with the entire contents in it.
Once vSphere is released, VMsafe should do what you want to do as well.

Indeed, the suspend (and the corresponding .vmss) file is the best way. A snapshot (and the corresponding .vmsn file) also work, the file is essentially the same. The contents of memory start at an offset within the file, and are stored as raw contents of physical memory (e.g. not with virtual addresses). The .vswp files do not contain a deterministic set of pages (e.g. memory that doesn't need to get paged out won't be written to the .vswp).

And yes, VMsafe allows all this as well.

For online scanning, VMsafe is the only option (and the VMsafe API could also disallow execution based on the results of the scan) and is helpful because you can use VMsafe APIs to look up the page table and thus perform the analysis in the virtual address space as well as the physical address space. For offline scanning, the snapshot is certainly more efficient, but coming up with the current page table is considerably more difficult, so the patter scanning has to be in the physical address space only.

View solution in original post

Texiwill · ‎05-19-2009

Hello,

Moved to the Security forum.

This is a very interesting subject and I think there are ways for you to dump the memory of the VM into the .vswp file provided or even into a .vmss file. The first requires you to send signals to the appropriate aspect of the VM and the second requires you to just suspend the VM, the suspension will create a memory file with the entire contents in it.

Once vSphere is released, VMsafe should do what you want to do as well.

Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst[/url]
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

ksc · ‎05-28-2009

This is a very interesting subject and I think there are ways for you to dump the memory of the VM into the .vswp file provided or even into a .vmss file. The first requires you to send signals to the appropriate aspect of the VM and the second requires you to just suspend the VM, the suspension will create a memory file with the entire contents in it.
Once vSphere is released, VMsafe should do what you want to do as well.

Indeed, the suspend (and the corresponding .vmss) file is the best way. A snapshot (and the corresponding .vmsn file) also work, the file is essentially the same. The contents of memory start at an offset within the file, and are stored as raw contents of physical memory (e.g. not with virtual addresses). The .vswp files do not contain a deterministic set of pages (e.g. memory that doesn't need to get paged out won't be written to the .vswp).

And yes, VMsafe allows all this as well.

For online scanning, VMsafe is the only option (and the VMsafe API could also disallow execution based on the results of the scan) and is helpful because you can use VMsafe APIs to look up the page table and thus perform the analysis in the virtual address space as well as the physical address space. For offline scanning, the snapshot is certainly more efficient, but coming up with the current page table is considerably more difficult, so the patter scanning has to be in the physical address space only.

amirsh · ‎06-02-2009

I wish to scan phsyical memory only, no need to evaluate the page tables.

I'm evaluating vSphere4 now, but from where can I obtain VMsafe API to create proof-of-concept code for online scanning?

Texiwill · ‎06-02-2009

Hello,

You will need to contact your VMware Sales Representative about joining one of their VMsafe programs. At the moment, they have not released the API to any but registered vendors. How this happens unfortunately I do not have the answer.

Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

All

Access Guest machine physical memory