Analyzing Hyper-V Saved State files in Volatility

Thursday, 17. October 2013

Introduction

Volatility can analyze Hyper-V Virtual Machine’s saved state once the (.bin) and (.vsv) files are converted to a crash dump using vm2dmp http://archive.msdn.microsoft.com/vm2dmp. This tool currently supports up to Hyper-V 2.0 (Windows Server 2008R2 and 2008) files. At this point I do not know of any support for Hyper-V 3.0 (Windows Server 2012 and up). In order for this process to work the VM must either be in a saved state or from a snapshot.

Acquisition

The Virtual Machine configuration (XML file located in the virtual machine folder in the path of the virtual machine) file points to the path of the .bin and .vsv files that are required to convert them to a crash dump.  For example the follow snippet was pulled from one of my virtual machines XML file. Recently I have discovered that any VM that has 4GB of RAM or more will cause the VM2DMP with an error like “ERROR: Failed to map guest block 4096 to any saved state block! ERROR: Element not found.”

<savedstate>

<memlocation type=”string”>

V:\ComputerName\Virtual Machines\VM-Instance-ID\VM-Instance-ID.bin

</memlocation>

<type type=”string”>Normal</type><vsvlocation type=”string”>

V:\ComputerName\Virtual Machines\VM-Instance-ID\VM-Instance-ID.vsv

</vsvlocation>

</savedstate>

Once you obtain the .bin and .vsv files you need to download vm2dmp and place in the dir of the windows debugging toolkit

Download Windows Debugging Toolkit

http://msdn.microsoft.com/en-us/library/windows/hardware/ff551063(v=vs.85).aspx

Now you can use the vm2dmp tool to convert the files into a crash dump.

Create a dump file using virtual machine state files:

vm2dmp.exe -bin C:\dir\ VM-Instance-ID.bin -vsv C:\VM\ VM-Instance-ID.vsv -dmp C:\dir\crashdump.dmp

Create a dump file from virtual machine and snapshot name:

vm2dmp.exe –vm ComputerName -dmp C:\VM\crashdump.dmp

vm2dmp.exe –vm ComputerName –snap “vm ComputerName -snap-SP1” -dmp C:\VM\crashdump.dmp

Note: If you have a downloaded path of the debugging symbols then you can specify –sym and then the directory of the symbols path.

Once you have converted to a crashdump you then use Volatility’s Imagecopy plugin to convert the crashdump format to a raw memory dump. For more information check out

https://code.google.com/p/volatility/wiki/CommandReference22#imagecopy

Example: python vol.py –f /dir/crashdump – -profile=profile of vm –O /dir/memory.raw

Posted in Uncategorized by admin

Leave a Reply

You must be logged in to post a comment.