Extracting RAM from VirtualBox session

Over the last few months I have been playing with Cuckoo, and reworking its function to suit my own requirements. Part of this has involved the separation of components within Cuckoo into functional units.

This particular component relates to extracting the RAM from a VirtualBox machine for analysis after ceasing the VM.

For this to work we need to make sure volatility and virtualbox are installed.

Once the VirtualBox VM has been executed here is what we do to start capturing it’s memory:

#!/bin/bash 
vboxmanage debugvm $1 
dumpvmcore –filename=$1.elf 
size=0x$(objdump -h $1.elf | egrep -w “(Idx|load1)” | tr -s “ “ | cut -d “ “ -f 4) 
off=0x$(echo “obase=16;ibase=16;objdump -h $1.elf | egrep -w "(Idx|load1)" | tr -s " " | cut -d " " -f 7 | tr /a-z/ /A-Z/” | bc) 
head -c $(($size+$off)) $1.elf|tail -c +$(($off+1)) > $1.raw rm $1.elf 
volatility -f $1.raw imageinfo

This memory dump will last for the duration of the VM being run, but be aware depending on what is being analysed this could be quite a large memory dump, and will need to be further analysed to remove elements which are not relevant to what you are analysing.



Categories: Security Operations, Uncategorized

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: