VM Scan

[xSalice]

Problem:
Would it be possible to be able to detect nested-vm inside a memory image and use volatility plugins onto those vm? Example: VMWare was running on the host with another windows machine.

Solution:
Add a new volatility layer similar to rekall's vmscan to detect nested vm.

[ikelos]

Hiya, so we'd need to think about how you interact with memory images that could be containers for other memory images, or may be just plain memory images themselves. It's certainly possible already at the moment to access a guest by creating a specific configuration file and then use that to run volatility plugins, but we don't have anything that looks for virtual machines yet. I don't think a new layer would necessarily solve those problems, but we can certainly investigate it... 5:)

[xSalice]

Cool! Maybe what you can do potentially:

• Create a argument to allow for that vm configuration with its EPT to access that guest
• Seperate plugin for vm scanning/finding the EPT?

Thanks for looking into it!

[ikelos]

The vmscanning plugin sounds fine, but I'm quite uncomfortable about adding a new command line flag to CLI without a lot more thought of how it might affect the library and other user interfaces, so that will likely take a fair bit longer. I need to decide whether that should be part of the automagic or not, since it's (at the moment) a reasonably niche requirement and there may be other ways of handling it (for example, there could be a vm-aware automagic that creates the additional layers automatically when it finds them but then how does the plugin know which one to act upon, etc). I just need to plan out how best to integrate it, but as I say, it's technically possible at the moment with the appropriate configuration object.

[xSalice]

Circling back, what kind of configuration would I need as an example to hard code in order to peak into a guest? An example usage of the configuration in the mean time would help tremendously!

[ikelos]

Sorry for dropping the ball on this, I've been tinkering with things along these lines but still don't have anything to show yet.

The kind of a config you'd be looking at would be. The Intel32e layer could be used to do the mapping, although technically it might miss pages that the guest isn't allowed to read but are still mapped (it's a bit weird), but it ought to get you most of the way there. This is also configured for the more recent kernel requirements, you could change it to the old primary and symbols requirements if necessary, that should still work...

{
    "kernel.layer_name.class": "volatility3.framework.layers.intel.Intel32e",
    "kernel.layer_name.memory_layer.class": "volatility3.framework.layers.intel.Intel32e"",
    "kernel.layer_name.memory_layer.memory_layer.class": "volatility3.framework.layers.physical.FileLayer",
    "kernel.layer_name.memory_layer.memory_layer.location": "file:///path/to/file",
    "kernel.layer_name.memory_layer.page_map_offset": <ept>,
    "kernel.layer_name.page_map_offset": <guest cr3>
}