{"id":3716,"date":"2015-05-10T13:18:53","date_gmt":"2015-05-10T13:18:53","guid":{"rendered":"http:\/\/really.zonky.org\/?p=3716"},"modified":"2015-05-10T13:18:53","modified_gmt":"2015-05-10T13:18:53","slug":"virtualbox-and-volatility","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=3716","title":{"rendered":"VirtualBox, and Volatility"},"content":{"rendered":"

\n\tWhilst messing around with malware, memory dumps, and memory forensics, it is kind of handy to be able to use VirtualBox. Particularly when that is your virtual machine "weapon of choice".\n<\/p>\n

\n\tAccording to the documentation, Volatility can read core dumps from VirtualBox. Once you realise that you need to specify a “profile” to read the result, this is quite simple :-\n<\/p>\n

\r\n\u2713 mike@pica\u00bb VBoxManage list vms | grep Windows\r\n\"Windows\" {9cefc95e-eaf2-4052-b466-cb665c73a36a}\r\n\u2713 mike@pica\u00bb VBoxManage debugvm \"Windows\" dumpguestcore --filename ~\/windows.elf\r\n\u2713 mike@pica\u00bb ls -l ~\/windows.elf\r\n-rw------- 1 mike mike 2.1G May 10 14:11 \/home\/mike\/windows.elf\r\n<\/pre>\n
If you specify the right profile option, then Volatility can make use of this :-<\/p>\n
\r\n\u2713 mike@pica\u00bb volatility -f ~\/windows.elf --profile=Win7SP1x86 cmdline          \r\nVolatility Foundation Volatility Framework 2.4\r\n************************************************************************\r\nSystem pid:      4\r\n************************************************************************\r\nsmss.exe pid:    260\r\nCommand line : \\SystemRoot\\System32\\smss.exe\r\n{Long list of processes removed}\r\n<\/pre>\n
All fairly obvious really, but if you do not specify the profile, volatility will present you an error that indicates it does not understand the format of the memory dump which is a bit confusing :-<\/p>\n
\r\n\u2713 mike@pica\u00bb volatility -f ~\/windows.elf cmdline                     \r\nVolatility Foundation Volatility Framework 2.4\r\nNo suitable address space mapping found\r\nTried to open image as:\r\n{Long list of memory image formats}\r\n<\/pre>\n
At least to someone as thick as me! Yes it took me ages to get this figured out.<\/p>\n","protected":false},"excerpt":{"rendered":"
Whilst messing around with malware, memory dumps, and memory forensics, it is kind of handy to be able to use VirtualBox. Particularly when that is your virtual machine "weapon of choice". According to the documentation, Volatility can read core dumps from VirtualBox. Once you realise that you need to specify a “profile” to read the […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_share_on_mastodon":"0"},"categories":[4],"tags":[1310,1311],"class_list":["post-3716","post","type-post","status-publish","format-standard","hentry","category-it","tag-virtualbox","tag-volatility","category-4-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-XW","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3716","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3716"}],"version-history":[{"count":4,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3716\/revisions"}],"predecessor-version":[{"id":3720,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3716\/revisions\/3720"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3716"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3716"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3716"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}