Reputation: 374
Retrieving BSOD text from VM
How would you retrieve the BSOD text from a virtualbox vm??
As the BSOD is text, it should be stored in the VM's memory space somewhere and probably somewhere well defined.
I have several VMs that have been configured to stop on blue screens rather than rebooting, and code is in place to take screen shots at regular intervals.
At this point my plan is to difference two images, if there are no differences ( i.e. there have been no changes on the screen) and the pixels in the 4 corners are all blue ( and the right blue) then we attempt extraction of the BSOD text, search the text for the "* STOP:" sequence to confirm it as a BSOD.
I originally planed on a quick and dirty OCR solution to extract text from the image itself, however if we can relatively easily extract it from memory we would remove the possibility of OCR errors.
I've perused the manual and API reference and haven't seen anything that seems to immediately apply.
Is it possible to access the guests memory from the Virtual Box host and retrieve the BSOD text directly from memory?
UPDATE
Just to clarify, I've considered 4 different options at this time
1) Reverse engineering the windows debug protocol and building at least a basic debugger to listen on the vm's serial port
- Requires reverse engineering serial protocol, suspect this would present a fair amount of difficulty
2) Reverse engineering the Virtualbox saved state file and extracting the text from the VESA memory area that I suspect is stored in that file after saving the VM on the BSOD
- I haven't been able to find documentation on this file format outside the source code itself.
3) Running OCR on the output image retrieved using the API
- This may be the best way to go, requires building or setting up and training an ocr solution of some kind, outside my experience. May be relatively simple to do, constant width font/ clean image, only two colours to deal with
4) Access the guests memory directly using either an API call or by creating an extension to access/expose it in some manner
- As pointed out by Warren, there doesn't seem to be an API to access the memory, may be able to write an extension to expose the vm's memory in some manner, but would require understanding of Virtualbox internals.
This is running on Solaris hosts, and some may only have one Windows vm available that may or may not boot. This VM could be any relatively recent version of windows (XP, 2003, 2003 R2, 2008,Vista, 2008 R2). I can spawn an arbitrary number of Linux based VM's, however I cannot spawn additional windows VM's due to licensing concerns. My thought to this point has been that retrieving it directly from the guests memory would be the easiest to implement, perhaps I'm mistaken in that and one of the above methods, or one I haven't thought of, would be easier to implement
Upvotes: 2
Views: 648
Answers (2)
Reputation: 11
It is possible to extract the guest (virtual) physical memory using VBoxManage and a debugger.
VBoxManage debugvm TestVm dumpguestcore --filename guest.dump
gdb --core guest.dump
# dump memory [phys-mem-file] 0x0 [size vm-memory]
Afterwards one can search the memory dump for string content.
See also: http://www.halfdog.net/Misc/TipsAndTricks/VirtualBox.html#ExtractGuestPhysicalMemory
Upvotes: 1
Reputation: 24330
If you are trying to just get the information why not just enable kernel debugging and expose it over one of the virtual serial ports? I believe you should be able to use either Debugging Tools for Windows (WinDbg) or Kernel Debugger (KD) over an I/O port. The only unique requirement because this is a VM is that the virtual serial port should be mapped to a named pipe on the host, and then the debugger on the host (or other VM since your host isn't Windows) should be configured to communicate over that pipe. Your commands would look something like this:
windbg -k com:port=\\.\pipe\<pipe_name>,pipe
kd -k com:port=\\.\pipe\<pipe_name>,pipe
There is a great blog post by the legendary Mark Russinovich that describes how he used the debugger to alter the colors of the BSOD screen. Hopefully that will provide you some additional insight into using the tools as well as narrowing down the field and getting you to the right area to extract the info you are looking for.
Here are some references to help get you started:
KB Article 151981: How to set up a remote debug session using a null modem cable
http://support.microsoft.com/kb/151981A Bluescreen By Any Other Color
http://blogs.technet.com/b/markrussinovich/archive/2010/12/14/3374820.aspxDebugging Tools for Windows
http://msdn.microsoft.com/en-us/windows/hardware/gg463009
Upvotes: 3
Related Questions
- How can I get the BSOD bugcheck code text description by code/windows API
- How to debug / analyze BSOD dump in Visual Studio?
- Creating a WinDbg-readable dump of QEmu guest OS
- How can I read a windows BSOD generated memory.dmp using C++
- Retrieving IOCTL Input Buffer Content From Crash Dump + Windbg[BSOD]
- How can you programmatically detect that a BSOD on Windows has just occurred after rebooting?
- how to get memory dump after blue screen
- How do I programmatically detect a Blue Screen in VMWare Workstation?
- Detect BSOD on Windows
- How to get OS information from minidump crash?