none
create hyper-v dump using livekd

    Question

  • i got a 2012 hyper-v machine with 6 vms and trying to get the memory dump for specific vm using livekd.
    but got a issue with this.
     
    when it come to using livekd itself, it went well (i think) like above
     
    ----------------
    C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64>livekd
    LiveKd v5.31 - Execute kd/windbg on a live system
    Sysinternals - www.sysinternals.com
    Copyright (C) 2000-2013 Mark Russinovich and Ken Johnson
    Launching C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\kd.exe:
    Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [C:\Windows\livekd.dmp]
    Kernel Complete Dump File: Full address space is available
    Comment: 'LiveKD live system view'
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*c:\Symbols*http://msdl.micros
    oft.com/download/symbols
    Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 8 Kernel Version 9200 MP (24 procs) Free x64
    Product: Server, suite: TerminalServer DataCenter SingleUserTS
    Built by: 9200.16384.amd64fre.win8_rtm.120725-1247
    Machine Name:
    Kernel base = 0xfffff800`13085000 PsLoadedModuleList = 0xfffff800`1334fa60
    Debug session time: Fri Mar  6 18:07:23.583 2015 (UTC + 9:00)
    System Uptime: 310 days 22:04:41.684
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    ................
    Loading User Symbols
    Loading unloaded module list
    ..................................................
    0: kd> q
     
    ----------------
     
    but it didn't work when i tryed to get vm name and dumpfile with it.
     
    ----------------
     
    C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64>livekd -hvl
    LiveKd v5.31 - Execute kd/windbg on a live system
    Sysinternals - www.sysinternals.com
    Copyright (C) 2000-2013 Mark Russinovich and Ken Johnson
    Partition GUID                         Name
    01D0FF39-E2F6-4BFD-AC31-BB86BF6DBF54   <n/a>
    166C39DD-6F8B-4A5E-9484-B8764422E6E9   <n/a>
    CD27DCA0-FE1F-4846-B4C8-F02531DB6BD7   <n/a>
    CD94C90B-201D-4AB7-BB1C-7084EA63DD12   <n/a>
    E1BE1D59-E58C-4432-B304-BCE9980C0723   <n/a>
    C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64>livekd -hv CD27DCA0-FE1F-4
    846-B4C8-F02531DB6BD7 -p -o c:\memory.dmp
    LiveKd v5.31 - Execute kd/windbg on a live system
    Sysinternals - www.sysinternals.com
    Copyright (C) 2000-2013 Mark Russinovich and Ken Johnson
    WARNING: Failed to query pause state for VM CD27DCA0-FE1F-4846-B4C8-F02531DB6BD7
    .
    WARNING: Failed to pause VM CD27DCA0-FE1F-4846-B4C8-F02531DB6BD7.
    Error resolving symbol KdVersionBlock: 126
    Failed to resolve KdVersionBlock - 126
    Failed to load guest symbols - 126
    Failed to prepare hypervisor session for debugger - error 126.
     
    ----------------
     
    one thing, it's not connect to internet. i installled symbol package file.
     
    any suggestion?
     
    thanks ahead.
    Friday, March 6, 2015 1:07 AM

All replies

  • http://limitding.blogspot.com/2016/01/using-volatility-with-hyper-v.html

    Using Volatility with Hyper-V 
    
    Assuming you have a Hyper-V image with Win7x64 and you want to use Volatility to do
    memory forensic analysis.
    
    1.  Set _NT_SYMBOL_PATH=srv*c:\symbols*https://msdl.microsoft.com/download/symbols
    
    2.  Install debugging tools for Windows
         Microsoft make it hard to just get the debugging tools by itself, you will need to download
         the SDK setup, run it, and from the component selection menu select only the debugging
         tools option. You may also get it from this site, CodeMachine downloads.
    
    3.  Install SysInternals LiveKD
         We will use LiveKD to dump memory from RAM for analysis
    
    4.  Run your Hyper-V VM
    
    5.  List currently running VMs (Administrative privilege required)
         >livekd.exe -hvl
    
    6. Use previous listed name to dump memory 
        >livekd.exe -hv name -p -o c:\memory.dmp
    
        If you get any errors about kdversionblock or cannot resolve symbols for ntoskrnl, make sure your
        symbols are correct. You may also have to start up livekd in debugging mode and force
        downloading of symbols
        >livekd.exe -hv name
                  >>.reload /f
    
        Verify your symbols folder contain the symbol files.
    
    7. Convert from memory to raw dump (OPTIONAL, try if first with the memory dump)
        >volatility-X.X.standalone.exe -f c:\memory.dmp --profile=Win7SP1x64 imagecopy
                    -O c:\memory.dd
    
    8. Run Volatility commands
        >volatility-X.X.standalone.exe -f c:\memory.dd --profile=Win7SP1x64 psscan


    Vladimir Zelenov | http://systemcenter4all.wordpress.com


    Thursday, December 20, 2018 1:01 PM