Reputation: 1201
Reading and interpreting memory page file in C++
I need to analyse some malware that I have on a vmware image (vmware is a virtual machine), in particular I need to do a full dump of a certain process. I know that vmware,on pausing, writes the whole RAM into a .vmem file. The platform the image is taken of is Windows XP. I know that there are certain tools that do this but they are mostly closed source or don't work for Windows XP. I need it to be done in reasonable time (under one second if that is possible somehow) and to run it from my own C++ program, any help would be really appreciated.
Upvotes: 3
Views: 1304
Answers (1)
Reputation: 146
You seem to be asking to interact with processes and their memory from a suspended VM.
Give some forensic tools a shot. This one looks promising:
http://code.google.com/p/volatility/
Upvotes: 2
Related Questions
- How do I get the information shown in vmmap programatically?
- Windows Memory Workings - page tables, and data
- How can I get data from memory mapped file?
- C++ Memory Management and Virtual memory Page size
- Windows virtual memory and kernel mode
- Calculating Virtual Memory page table and translation lookaside buffer
- how to increase the size of virtual memory page file for the application data
- Using VirtualQuery to find out which "file" uses certain page in memory
- Using the pagefile for caching?
- How can I get read-ahead bytes?