Previously, I’ve encountered a problem where I’m unable to copy the .vmem file for further analysis.
So, the next alternative way that we can do is to use .vmss file & convert it into .vmem file. .vmss is a Virtual machine suspend file.
To start convert it, first you need to download vmss2core tool here – https://flings.vmware.com/vmss2core
Next, open your cmd and enter cmd as below:
F:\Tools> .\vmss2core-sb-8456865.exe -W 'F:\INC\<REDACTED>\<REDACTED>.vmss' vmss2core version 8456865 Copyright (C) 1998-2017 VMware, Inc. All rights reserved. region[0]: start=0 end=c0000000. region[1]: start=100000000 end=240000000. Cannot translate linear address 0. ... 10 MBs written. ... 20 MBs written. <snip> ... 8180 MBs written. ... 8190 MBs written. Finished writing core.
After it finished, it will create a file named memory.vmem.
There you have it. So you can start doing your memory analysis using volatility if you want.
For example, here we’ll be using volatility in order to find out the profile for which .vmem is created.
$ python vol.py -f memory.dmp imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
AS Layer3 : FileAddressSpace (/home/memory.dmp)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf800028530a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002854d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2019-12-23 17:42:50 UTC+0000
Image local date and time : 2019-12-23 11:42:50 -0600