Adding VirtualBox address space to Volatility

[GoogleCodeExporter]

Hi all,

I'm creating this issue to open up discussion on bringing in the VirtualBox 
address space to Volatility.  See: http://wiki.yobi.be/wiki/RAM_analysis

Original issue reported on code.google.com by jamie.l...@gmail.com on 15 Feb 2012 at 10:41

[GoogleCodeExporter]

Okay, I think this would be a good time to properly add handling of filetypes 
to Volatility. In this address space, they are using struct.unpack to read the 
ELF file which defeats the purpose of the Object/profile abilities of 
Volatility. 

So I think we need some generic "interface" to binary/library files and then 
can implement it for PE/ELF and whatever else.  The interface would support 
things like getting symbol addresses/sizes, the raw bytes of some 
function/symbol, list of sections, and so on. 

I am more than willing to help adding of filetypes once the "interface"/API is 
decided on.

Original comment by atc...@gmail.com on 15 Feb 2012 at 11:56

[GoogleCodeExporter]

They were originally using an external library to do the parsing for them.  I 
actually had them handle the ELF parsing themselves because this needs to be 
fast and lightweight.  It's just a check to get to the data, the initialization 
function will be called repeatedly during the address stacking and most of the 
time will need to fail quickly.

We can use volatility's machinery to do the reading, but it's not the fastest 
thing in the world, and in this instance there's just a couple of quick checks 
that need doing...

Original comment by mike.auty@gmail.com on 16 Feb 2012 at 7:15

[GoogleCodeExporter]

Hey guys, this is committed to 2.3 devel so I'm going to close it out (see 
r2667 to r2670). There is a big FIXME in the code, which is to remind us to 
create an abstract AS so the virtualbox AS can share the read, zread etc with 
crash dumps and also the vmware AS once that's implemented (soon). 

Original comment by michael.hale@gmail.com on 11 Oct 2012 at 2:41

• Changed state: Fixed