Analysis with VirtualBox and Volatility

Memory dumping with VirtualBox


  1. Enable the Debug menu of VirtualBox.  May vary per version so you'd better go to their site and look for how to enable it.
  2. Debug->Command Line..
  3. At the Command box, type
    .pgmphystofile <filename>
There is a dot before the pgmphystofile command.  <filename> is the filename where you want the memory dump to be stored.<filename> will be stored in the user directory.  In Windows, that should be in the %userprofile% directory.  In Linux, it should be in the ~ directory.

Using Volatility on the vbox memory dump file

Some steps to do after dumping:

volatility usage (order of parameters is strict, better begin with profile and -f )
  1. Identify os version
    vol -f <mem image file> imageinfo
  2. Find RWE allocated spaces with malfind
    vol --profile=Win7SP1x86 -f <mem image file> malfind -D <dump folder>

  3. vol --profile=Win7SP1x86 -f <mem image file> malfind -D <dump folder> -p <pid>

  4. vol --profile=Win7SP1x86 -f <mem image file> -p <pid> impscan -b <base in 0xXXXXXX> --output=idc --output-file=imps.idc
    : pid is required as the process where the malware injected, -b is the allocated page with injected code
    : open dump in IDA and run IDC

VolDiff - some other tool

voldiff usage

 python VolDiff.py <dirty.raw> profile --malware-checkspython VolDiff.py <clean.raw> <dirty.raw> profile --malware-checks


Popular Posts