nettech1
Expert
Expert

VMware .vmem conversion help

Jump to solution

Hi,

We are looking to convert several vmem files to a format recognizable by WIndbg. It's our understanding that volatility is our tool, however we are not having any luck with the conversion.

Are there any other tools we can try to convert the file?

volatility_2.6_win64_standalone.exe -f VM-Sales-001-c0bb6a9d.vmem --profile=Win10x64_10586 raw2dump --output-file=raw_image

Volatility Foundation Volatility Framework 2.6

ERROR   : volatility.debug    : You must specify something to do (try -h)

Thanks

1 Solution

Accepted Solutions
dariusd
Leadership
Leadership

You have a typo: raw2dump should instead be raw2dmp.

Command Reference · volatilityfoundation/volatility Wiki · GitHub

By the way, our own vmss2core tool can also convert a VM's saved state into a WinDBG-compatible .dmp format, including the full CPU state.

--

Darius

View solution in original post

4 Replies
dariusd
Leadership
Leadership

You have a typo: raw2dump should instead be raw2dmp.

Command Reference · volatilityfoundation/volatility Wiki · GitHub

By the way, our own vmss2core tool can also convert a VM's saved state into a WinDBG-compatible .dmp format, including the full CPU state.

--

Darius

nettech1
Expert
Expert

Thanks Darius,

wondering if there is a newer version of the vmss2core tool?

vmss2core-sb-8456865.exe -W VM-Sales-001-c0bb6a9d.vmss VM-Sales-001-c0bb6a9d.vmem

vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved.

region[0]: start=0 end=c0000000.

region[1]: start=100000000 end=240000000.

Cannot recognize Windows VM.

Error parsing Windows data.

Cannot create memory.dmp

Finished writing core.

0 Kudos
nettech1
Expert
Expert

this time I missed an 8,  -W8 created a Windbg file

0 Kudos
dariusd
Leadership
Leadership

Seems you're having a bad command-line-argument day today.  It happens to us all.  :smileygrin:

vmss2core is now included with Workstation.  If you have the latest version of Workstation, you have the latest version of vmss2core along with it.

Thanks,

--

Darius

0 Kudos