For forensic purposes it is sometimes necessary to generate a memory dump from a VM snapshot. It is also something that is regularly encountered in CTF.
On linux, that is quite easy to do, using vboxmanage and objdump. For those who (like me) also like to work on Windows, there's no native way to do it.
VBoxDump-GUI offers a quick and easy way to generate a RAM dump from any running VirtualBox VMs. And because we're lazy, let's use a GUI !
- User-friendly GUI.
- Lists running VMs on the host.
- Automatically retrieves the RAM section and create a standard raw file.
- Supports all VM guest platforms.
- Arch: x64
- OS: Windows 7, Windows 8, Windows 10
- .NET Core 3 Runtime : https://dotnet.microsoft.com/download/dotnet-core/current/runtime
- Download release
- Launch
VBoxDumpGUI.exe
Alternatively you can build from source : dotnet publish {path_to_solution} -c Release -r win-x64 --output {path_to_destination}
(!) WARNING : the program must be run as an administrator (!)
- If it is not detected automatically, fill in the installation directory of VirtualBox.
- Select a running VM.
- Choose an output path and click DUMP.
Done
If there's interest in this project, I'd like to include forensic analysis capabilities (password extraction, dump files, dump process, etc).