-
-
Notifications
You must be signed in to change notification settings - Fork 105
Device_VMWare
The LeechCore library supports reading live VMWare Workstation Guest VM memory from the host at very high speeds.
Facts in short:
- Tested on VMWare workstation 15.5 and above.
- VMs with TPM/SecureBoot enabled are not supported.
- Must be started in elevated admin command prompt.
- Supported only on Windows. Both VMWare and LeechCore must be 64-bit.
- Acquires memory in read/write mode.
- Acquired memory is assumed to be volatile.
LeechCore API:
Please specify the acquisition device type in LC_CONFIG.szDevice
when calling LcCreate
. The acquisition device type is vmware
.
PCILeech / MemProcFS:
Please specify the device type in the -device
option to PCIleech/MemProcFS.
Options:
ro=1
Read-Only / Disallow Writes.
id=
The ID is the PID of the VMWare process for the Guest VM.
Examples:
-device vmware
-device vmware://ro=1,id=6244
Process must be running as elevated administrator (alternatively have the privilege SeDebugPrivilege).
No additional requirements exist.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖