Over the last few months I have been playing with Cuckoo, and reworking its function to suit my own requirements. Part of this has involved the separation of components within Cuckoo into functional units.
This particular component relates to extracting the RAM from a VirtualBox machine for analysis after ceasing the VM.
For this to work we need to make sure volatility and virtualbox are installed.
Once the VirtualBox VM has been executed here is what we do to start capturing it’s memory:
#!/bin/bash
vboxmanage debugvm $1
dumpvmcore –filename=$1.elf
size=0x$(objdump -h $1.elf | egrep -w “(Idx|load1)” | tr -s “ “ | cut -d “ “ -f 4)
off=0x$(echo “obase=16;ibase=16;objdump -h $1.elf | egrep -w "(Idx|load1)" | tr -s " " | cut -d " " -f 7 | tr /a-z/ /A-Z/” | bc)
head -c $(($size+$off)) $1.elf|tail -c +$(($off+1)) > $1.raw rm $1.elf
volatility -f $1.raw imageinfo
This memory dump will last for the duration of the VM being run, but be aware depending on what is being analysed this could be quite a large memory dump, and will need to be further analysed to remove elements which are not relevant to what you are analysing.