-
-
Notifications
You must be signed in to change notification settings - Fork 103
Device_LiveCloudKd
The LeechCore library with LiveCoudKd additions supports reading live Hyper-V Guest VM memory from the Hyper-V host at very high speeds.
Facts in short:
- Is supported on 64-bit Windows Hyper-V host.
- Acquires memory in read/write mode.
- Acquired memory is assumed to be volatile.
- Have additional requirements (separate download).
- Externally contributed plugin by Arthur Khudyaev - @gerhart_x.
The LeechCore/PCILeech/MemProcFS process must be started in elevated administrator mode for LiveCoudKd to be able to capture live memory from Hyper-V guests if running in local (non remote) mode.
If LiveCloudKd does not work on first attempt please try to disable dynamic memory on the virtual machine and retry.
- Download MemProcFS binaries - unzip to directory on Hyper-V host C: drive.
- Download LiveCloudKd binaries - unzip to same directory as MemProcFS.
- Install the dokany user mode file system (required by MemProcFS).
- Run in elevated administrator command prompt:
MemProcFS.exe -device hvmm
LeechCore API:
Please specify the acquisition device type in LC_CONFIG.szDevice
when calling LcCreate
. The acquisition device type is hvmm
.
Options:
id=<vm id number>
- use specific vm id number instead of asking at startup (if multiple VMs are running).
listvm
- list the virtual machines and their ids.
unix
- treat the VM as a non-windows machine skipping some checks resulting in faster startup-times.
nvolatile
- treat the VM memory as static non-volatile memory (same as dump file). Not recommended for MemProcFS since memory is likely to start to drift and background refreshes will be disabled.
PCILeech / MemProcFS:
Please specify the device type in the -device
option to PCIleech/MemProcFS.
Examples:
-device hvmm -remote rpc://<spn>:<somehost>
-device hvmm
-device hvmm://id=3,unix
Depends on LiveCloudKd. Please download the latest version of LiveCloudKd - leechcore_hyperv_plugin.zip from Github. Please unzip the contents i.e. hvmm.sys
, leechcore_device_hvmm.dll
and hvlib.dll
into the directory where leechcore.dll
resides (usually alongside pcileech.exe
/ MemProcFS.exe
).
Please note that MemProcFS also have a separate dependency on the dokany user mode file system (documented in MemProcFS project).
The below example shows a user starting MemProcFS, from an elevated administrative command prompt, by running MemProcFS.exe -device hvmm
. LiveCloudKd will load the hvmm.sys driver into the kernel - querying which Hyper-V Guest VMs that may be selected. The user selects a Guest VM and is then able to access the guest virtual memory in the MemProcFS file system.
Please note that the slow copying speed (179MB/s) in the below example is related to a slow target disk - not LiveCloudKd.
Thanks to Arthur Khudyaev - @gerhart_x for making this possible. LiveCloudKd: https://github.com/gerhart01/LiveCloudKd
LiveCloudKd is stable and well tested on various Hyper-V hosts, such as Windows Server 2019 and 2022.
LiveCloudKd is supported by LeechCore/PCILeech/MemProcFS an external plugin and is not directly related LeechCore/PCILeech/MemProcFS.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖