How to extract a RAM dump from a running VirtualBox machine

In order to analyze it with Volatility

Usually i use a VirtualBox sandbox in order to ‘detonate’ some malware and analyze the behavior of them.

In this phase, the analysis of sandbox’s ram with Volatility is a mandatory step.
But, how i can extract a dump af volatile memory from the VM? The process is apparently a bit tricky but actually really simple.

With the option dumpvmcore --filename <name> of VBoxManage, you can create a system dump of the running VM, which will be written into the given file.

This file will have the standard ELF core format (with some custom sections).

The dump format is described in the VirtualBox documentation:

The overall layout of the VM core format is as follows:

[ ELF 64 Header]
[ Program Header, type PT_NOTE ]
  → offset to COREDESCRIPTOR
[ Program Header, type PT_LOAD ] - one for each contiguous physical memory range
  → Memory offset of range
  → File offset
[ Note Header, type NT_VBOXCORE ]
[ COREDESCRIPTOR ]
  → Magic
  → VM core file version
  → VBox version
  → Number of vCPUs etc.
[ Note Header, type NT_VBOXCPU ] - one for each vCPU
[ vCPU 1 Note Header ]
  [ DBGFCORECPU - vCPU 1 dump ]
[ Additional Notes + Data ] - currently unused
[ Memory dump ]

http://www.virtualbox.org/manual/ch12.html#ts_guest-core-format

So, starting dump the memory into the ELF file:

$ vboxmanage debugvm "Win7" dumpvmcore --filename test.elf

We’re interested into the first LOAD section, that’s where main memory reference is. We can get the correct offset using objdump:

$ objdump -h test.elf|egrep -w "(Idx|load1)"
Idx Name          Size      VMA               LMA               File off  Algn
  1 load1         40000000  0000000000000000  0000000000000000  00000720  2**0

So memory dump is in test.elf, starting at offset 0x720 and counting 0x40000000 bytes (1024Mb)

Now let’s extract the RAM, getting rid of the first bytes.

size=0x40000000;off=0x720;head -c $(($size+$off)) test.elf|tail -c +$(($off+1)) > test.raw

Now the file test.raw contains a memory image that can be analyzed with Volatility:

# volatility -f test.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search…
 Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
 AS Layer2 : FileAddressSpace (test.raw)
 PAE type : PAE
 DTB : 0x185000L
 KDBG : 0x82944c30L
 Number of Processors : 1
 Image Type (Service Pack) : 1
 KPCR for CPU 0 : 0x82945c00L
 KUSER_SHARED_DATA : 0xffdf0000L
 Image date and time : 2017–06–22 08:05:41 UTC+0000
 Image local date and time : 2017–06–22 01:05:41 -0700

Obviously all commands can be wrapped in a simple bash script, in order to automate the extraction process:


References

http://www.virtualbox.org/manual/ch12.html#ts_guest-core-format

Comments