Support for full memory dumps from ESX

[marklech]

Hi, I noticted there's no support for full memory dumps of machines running on ESXi. Someone previosly posted an extentsion to the esx.py machinery code that implements this functionality on Cuckoo's community (by suspending a machine and accessing the datastore to download the corresponding vmsn file), but it's gone now. Is it possible to add this feature to the current esx machinery implementation? Regards, Mark.

[jbremer]

Do you still have a backup of said code? I can't do any ESXi related testing myself, but if one or two people acknowledge that it works I'm happy to merge it.

[marklech]

Unfortunately not. This is the original thread from the community: https://community.cuckoosandbox.org/t/full-memory-dumps-in-esx/174 The pastebin put there is gone , I lost my backup of the code and I can't reach the guy who published it. If you could provide a basic version for this functionaIity I can make the necessary adjustments . If that is too much , I can attempt to do it on my own and contribute the result.

[jbremer]

I believe that was @certau-davidg, see also the following comment https://github.com/cuckoosandbox/cuckoo/issues/927#issuecomment-223189619. Hopefully he'll be able to share the patch again :-)

[david74552]

As requested, grab it while it is hot: Pastebin esx.conf Pastebin esx.py

Feel free to improve it.

@marklech - Regarding your community question about logging into https, there are no separate tests to check the credentials work beforehand, but line 110 does include the "auth=(esxusername, esxpassword)" parameter which forces a login to take place as part of the request and triggers a handled exception and vm-resume if the credentials were wrong.

[marklech]

Thanks a lot guys ! I really appreciate the effort on the code and bringing it back here . David, thanks for the response on the community issue. I will verify it soon .

[jbremer]

Ehm, that commit was meant for #976.

[jgajek]

This is already supported in the Vsphere machinery module.

[david74552]

While that is true for some builds, you still need to buy vsphere for that. The esxi module allows no-frills-cheapo cuckoo platforms (for testing purposes of course).

[jgajek]

No, you can run the vSphere machinery module on standalone ESXi hosts.

[david74552]

Hmm ok, we honestly missed that addition when we migrated our esxi fix over to 2.0-rc1. Does that mean that the esxi module is essentially deprecated for esxi 5.5/6.0 (hypervisor only)?

[jgajek]

I don't think the libvirt driver supports ESXi 6.x, so I'm not sure if it's even an option right now.

[RedWolf74]

As much as I got from the docs, libvirt doesn't support memory download for ESX(i) at all. The vSpehere machinery module works well for stand alone ESXi and thanks to jgajek, now for vCenter as well. So from my point of view, the esx module can be called deprecated.

[KillerInstinct]

I've been saying the esx module could be depricated ever since jgajek released his vSphere module. The only down side to depricating the esx module is the manditory pyvmomi library installation. But that's been in pypi for ages now -- not a big deal in my book.

[jbremer]

If all parties agree I'm fine with removing the esx machinery module.

[botherder]

Frankly, I have little to no experience with ESX/vSphere, so I don't really know how to weigh in on this.