How to extract a RAM dump from a running VirtualBox machine
In order to analyze it with Volatility
Usually i use a VirtualBox sandbox in order to ‘detonate’ some malware and analyze the behavior of them.
In this phase, the analysis of sandbox’s ram with Volatility is a mandatory step.
But, how i can extract a dump af volatile memory from the VM? The process is apparently a bit tricky but actually really simple.
With the option dumpvmcore --filename <name> of VBoxManage, you can create a system dump of the running VM, which will be written into the given file.
This file will have the standard ELF core format (with some custom sections).
The dump format is described in the VirtualBox documentation:
The overall layout of the VM core format is as follows:
[ ELF 64 Header] [ Program Header, type PT_NOTE ] → offset to COREDESCRIPTOR [ Program Header, type PT_LOAD ] - one for each contiguous physical memory range → Memory offset of range → File offset [ Note Header, type NT_VBOXCORE ] [ COREDESCRIPTOR ] → Magic → VM core file version → VBox version → Number of vCPUs etc. [ Note Header, type NT_VBOXCPU ] - one for each vCPU [ vCPU 1 Note Header ] [ DBGFCORECPU - vCPU 1 dump ] [ Additional Notes + Data ] - currently unused [ Memory dump ]
[embed]http://www.virtualbox.org/manual/ch12.html#ts_guest-core-format[/embed]
So, starting dump the memory into the ELF file:
$ vboxmanage debugvm "Win7" dumpvmcore --filename test.elf
We're interested into the first LOAD section, that's where main memory reference is. We can get the correct offset using objdump:
$ objdump -h test.elf|egrep -w "(Idx|load1)" Idx Name Size VMA LMA File off Algn 1 load1 40000000 0000000000000000 0000000000000000 00000720 2**0
So memory dump is in test.elf, starting at offset 0x720 and counting 0x40000000 bytes (1024Mb)
Now let's extract the RAM, getting rid of the first bytes.
size=0x40000000;off=0x720;head -c $(($size+$off)) test.elf|tail -c +$(($off+1)) > test.raw
Now the file test.raw contains a memory image that can be analyzed with Volatility:
# volatility -f test.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search… Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (test.raw) PAE type : PAE DTB : 0x185000L KDBG : 0x82944c30L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x82945c00L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2017–06–22 08:05:41 UTC+0000 Image local date and time : 2017–06–22 01:05:41 -0700
Obviously all commands can be wrapped in a simple bash script, in order to automate the extraction process: