-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John A. Wallace wrote: > >> -----Original Message----- From: halfdog [mailto:m...@halfdog.net] >> Sent: Monday, March 18, 2013 3:05 PM To: Community mailing list >> of VirtualBox users Subject: Re: [VBox-users] guest ram contents >> accessible in host >> >> Gregory Nowak wrote: >>> Hi everyone, I have a straight forward question. Can data >>> stored in a guest's portion of ram be accessed somehow on the >>> host while the guest is running? >> >> Yes, there are many (see >> http://www.halfdog.net/Misc/TipsAndTricks/VirtualBox.html#ExtractGuestPhysicalMemory >> >> for one): >> >>> From my opinion, the way most suitable for automation would >>> be: >> >> nsResultCode=debugger->vtbl->ReadVirtualMemory(debugger, 0, >> offset, length, &length, &charPtr); >> >> nsResultCode=debugger->vtbl->ReadPhysicalMemory(debugger, >> offset, length, &length, &charPtr); >> >> from IMachineDebugger, but although specified, documented and >> implementation in the interface, these calls are not yet >> implemented in the vbox memory management layer. But I heard >> rumors there exists an unofficial patch providing those functions >> in the wild. >> >> Another way is to run the vbox guest within the vbox debugger, >> which allows interactive analysis. Last time I checked, I failed >> to automate that. >> >> The dump method from the link above gives you the whole memory, >> but it is not trivial to get from the physacal to virtual pages. >> Took me hours to get through segmentation and page table. But >> perhaps there are tools other than manual search using the Intel >> processor spec. >> >> Another way is to attach with gdb to the virtualbox process. >> >>> Am I correct in assuming that such data can be accessed once >>> the >> guest >>> is halted, and that portion of ram wasn't allocated to another >>> program? Thanks. >> >> When the guest is suspended and halted, you can extract the RAM >> data from your disk using code parts from vbox to read the >> storage files. > > Hi, halfdog. > > Would you expound on this idea for me because I am having a wee bit > of a problem connecting the dots? Or perhaps you can point to a > link that explains the procedure in greater depth?
The method from http://www.halfdog.net/Misc/TipsAndTricks/VirtualBox.html#ExtractGuestPhysicalMemory is suitable to extract the "physical memory" of the guest on a linux host: VBoxManage debugvm TestVm dumpguestcore --filename guest.dump creates a core dump file of approximately the RAM-size of the guest. With gdb --core guest.dump you attach a debugger to the core, that can read the memory-layout encoded in the core file. With the debugger command dump memory [phys-mem-file] 0x0 [size vm-memory] e.g. dump memory phys.mem 0x0 0x40000000 you extract 1GB of physical memory data from the guest core dump. The main problem is, that the ordering of memory pages in the physical RAM does not correspond to the virtual address space used by applications to address memory content (user-space memory pointers). This does not really matter for following tasks: * Extract plaintext passwords from RAM * Extract cryptographical keys from RAM (in most cases so small, that they are stored on one page) * Check if a given text string was in RAM in the moment when dump was created * extract parts of all e-mails in RAM during dump * Find parts of malware code hidden from the guest OS It is problematic, e.g. when you want e.g. * dump the virtual memory data of a process running in the guest. * list the tasks, the guest kernel was tracking * extract data from IO-buffers during data transition between userspace to kernel and to modify them. If you need to reconstruct guest task state or virtual memory, you have to start from processor registers at time of dump using VBoxManage debugvm TestVm getregisters all then use cr0, cr3, gdtr to reconstruct page table, segment layout, ... to find your way from physical pages to virtual pages (see I think Intel architecture reference manuel vol 3, ch. 3). Perhaps you find some debugging (maybe crashdump/kexec might have such support) or forensic tools to accomplish this utterly painful task. > I am not nearly as versed in debugging as you, but this is an > important topic in connection with security concerns, and I want to > get a better understanding of it. Thanks. Perhaps you could explain, what you want to archive, then it might be easier to suggest a suitable method. hd - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAlFKCloACgkQxFmThv7tq+4MpgCfSo1JwgaRJAvqtL2C6G6mkoZZ c+kAoIien5EQbOT4SDS+lTV5S1B6k5I1 =d8rQ -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ VBox-users-community mailing list VBox-users-community@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/vbox-users-community _______________________________________________ Unsubscribe: mailto:vbox-users-community-requ...@lists.sourceforge.net?subject=unsubscribe
