Skip to content

Device_VMWare

Jump to bottom
ufrisk edited this page Oct 30, 2022 · 2 revisions

Memory Acquisition Method: VMWare

The LeechCore library supports reading live VMWare Workstation Guest VM memory from the host at very high speeds.

Facts in short:

  • Tested on VMWare workstation 16.
  • VMs with TPM/SecureBoot enabled are not supported.
  • Must be started in elevated admin command prompt.
  • Acquires memory in read/write mode.
  • Acquired memory is assumed to be volatile.

An introduction demo is available on YouTube:

Connection string:

LeechCore API:

Please specify the acquisition device type in LC_CONFIG.szDevice when calling LcCreate. The acquisition device type is vmware.

PCILeech / MemProcFS:

Please specify the device type in the -device option to PCIleech/MemProcFS.

Options:

ro=1 Read-Only / Disallow Writes.

id= The ID is the PID of the VMWare process for the Guest VM.

Examples:

-device vmware

-device vmware://ro=1,id=6244

Requirements:

Process must be running as elevated administrator (alternatively have the privilege SeDebugPrivilege).

No additional requirements exist.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Acquisition Methods

LeechAgent

Development

Clone this wiki locally