-
-
Notifications
You must be signed in to change notification settings - Fork 103
Device_HyperV_SavedState
The LeechCore library supports reading memory from Hyper-V saved state files (VMRS).
Facts in short:
- Is supported on 64-bit Windows.
- Acquires memory in read-only mode.
- Acquired memory is assumed to be static.
- Have additional requirements.
LeechCore API:
Please specify the acquisition device type and the path to the save file in LEECHCORE_CONFIG.szDevice when calling LeechCore_Open.
Example: HvSavedState://<path_to_savefile\savefile.vmrs.
PCILeech / MemProcFS:
Please specify the device type in the -device option.
Example:
-device "HvSavedState://C:\VM\Virtual Machines\E3F3756F-1116-41F6-AFC5-5AB7AC46C4D2.vmrs"
Depends on the vmsavedstatedumpprovider.dll library. It must be placed in the same folder as the LeechCore. The library exists in the most recent Windows SDK and is usually found in the location: C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\vmsavedstatedumpprovider.dll.
Sponsor PCILeech and MemProcFS:
PCILeech and MemProcFS is free and open source!
I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!
If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk
Thank You 💖