So, after about the third time I referred to my malware analysis blog post to remember how to run the VirtualBox memory dump, then carve out the volatility compatible section from the elf file, I decided it was a pain in the neck and that a script was in order. It's a very simple script, but does the job I need it to.
#!/bin/bash
# This script will take a memory dump of the specified Virtual Machine and automatically convert it into a file that is readily manipulated through
# volatility.
if [ $# -lt 2 ]
then
echo "Usage: ./scriptname VirtualMachineName OutputFileName"
else
VBoxManage debugvm $1 dumpguestcore --filename $2.elf
start=$((`readelf -W -l $2.elf | grep -i -m 1 "LOAD" | awk {'print $2'}`+1))
end=$((`readelf -W -l $2.elf | grep -i -m 1 "LOAD" | awk {'print $5'}`))
tail -c +$start $2.elf | head -c $end > $2.raw
rm $2.elf
fi
Bash is so cool!
No comments:
Post a Comment