Friday, February 20, 2015

VirtualBox to volatility, a short script

So, after about the third time I referred to my malware analysis blog post to remember how to run the VirtualBox memory dump, then carve out the volatility compatible section from the elf file, I decided it was a pain in the neck and that a script was in order. It's a very simple script, but does the job I need it to.


# This script will take a memory dump of the specified Virtual Machine and automatically convert it into a file that is readily manipulated through
# volatility.

if [ $# -lt 2 ]
    echo "Usage: ./scriptname VirtualMachineName OutputFileName"
  VBoxManage debugvm $1 dumpguestcore --filename $2.elf
  start=$((`readelf -W -l $2.elf | grep -i -m 1 "LOAD" | awk {'print $2'}`+1))
  end=$((`readelf -W -l $2.elf | grep -i -m 1 "LOAD" | awk {'print $5'}`))
  tail -c +$start $2.elf | head -c $end > $2.raw
  rm $2.elf

Bash is so cool!

No comments:

Post a Comment