libmicrovmi icon indicating copy to clipboard operation
libmicrovmi copied to clipboard
verified publisher icon Wenzel

Question: Python volatility3 plugin does not work when VM is paused

Open dommi22m opened this issue 1 year ago • 1 comments

Hi!

I hope it's okay that I'm asking a question here.

I would like to perform several Volatility3 queries in succession for a certain state of a VM. To do this, I pause the VM in advance. If I now execute Volatility with the following command, for example, it simply stops. vol --plugin-dirs /home/user/libmicrovmi/python/microvmi/volatility/ --single-location "vmi:///?vm_name=windows10&kvm_unix_socket=/tmp/introspector" windows.pslist.PsList If I now unpause the VM, Volatility continues to run and also outputs the required information.

So the plugin does not seem to work when the VM is paused. What I don't quite understand is that I have already rewritten the plugin once so that the VM is automatically paused and it works. (See here #246) Is there a technical background that I don't understand or does anyone have a tip for me on how I could solve the problem?

Underlying hypervisor: KVM

Thank you already! Tommy

dommi22m avatar May 12 '24 13:05 dommi22m

Hi Tommy,

thanks for posting an issue. I'm trying to get a repro here first, so i can get a better understanding of the situatin. I'll keep you posted

Wenzel avatar May 21 '24 12:05 Wenzel