Device_HyperV_SavedState
The MemProcFS/PCILeech/LeechCore supports reading memory from Hyper-V saved state files (VMRS).
Facts in short:
- Is supported on 64-bit Windows.
- Acquires memory in read-only mode.
- Acquired memory is assumed to be static.
- Have additional requirements.
PCILeech / MemProcFS:
Specify the device type in the -device option. If the saved state have the file type .VMRS the device type HvSavedState:// is not required.
Examples:
-
-device "C:\VM\Virtual Machines\E3F3756F-1116-41F6-AFC5-5AB7AC46C4D2.vmrs" -
-device "HvSavedState://C:\VM\Virtual Machines\E3F3756F-1116-41F6-AFC5-5AB7AC46C4D2.vmrs"
Depends on the most recent Windows SDK. The Windows SDK is auto-detected if installed on the computer.
If the Windows SDK is not installed on the computer or is installed in a non-default path the file vmsavedstatedumpprovider.dll should be copied to the the folder of MemProcFS or PCILeech. The vmsavedstatedumpprovider.dll file is usually found in the location: C:\Program Files (x86)\Windows Kits\10\bin\10.0.<buildnr>.0\x64\vmsavedstatedumpprovider.dll.
To ease memory dumping the dump_vm.ps1 powershell script is provided for convenience. The script should be run as administrator on the Hyper-V host. It allows to dump memory of an active running VM without suspending or pausing it. It may optionally also allows copying of the page file pagefile.sys.
It is then possible to use the dumped .vmrs file together with MemProcFS. In the below screenshot the dumped pagefile.sys is also used to increase the quality of the memory analysis results.
