[libvirt] [libvirt-users] converting save/dump output into physical memory image

Andrew Tappert andrew at pikewerks.com
Thu May 5 18:49:39 UTC 2011


On 05/05/2011 02:33 PM, Eric Blake wrote:
> On 05/05/2011 11:56 AM, Andrew Tappert wrote:
>>
>> Virsh has "save" and "dump" commands for storing the state of a guest to
>> a file on disk, but memory of KVM guests doesn't get saved in the
>> "standard" input format for memory forensics tools, which is a raw
>> physical memory image.  (This is what you'd get via the classical "dd
>> /dev/mem" approach or the contemporary equivalent using the crash
>> driver; and VMware Server and Workstation produce .vmem files, which are
>> such raw physical memory images, when a guest is paused or snapshotted.)
> 
> Libvirt also has the virDomainMemoryPeek API; right now, it is not
> exposed by virsh, but we could add a command-line-interface for it if
> that proves useful.  Does that API fit your needs any better than
> converting a qemu dump image back into raw memory?
> 

Before starting to write the LibvirtQemuSave/QemuSavevm conversion tool
I did explore the possibility of writing a Libvirt memory dump program
using that API.  But given the way it writes to a temporary file it did
not seem like it would be feasible/efficient for full memory dumps.  I
just signed up to your mailing list today, but I saw in your last post a
mention of qemu raw monitor passthrough commands.  Maybe directly
invoking qemu's pmemsave is the way to go.  The nice thing about the
qemu savevm format, though, is that it does contain cpu state, which is
actually quite relevant to "memory" forensics... it's not all about
getting a raw physical memory image, actually.

Andrew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20110505/a05c6f01/attachment-0001.sig>


More information about the libvir-list mailing list