moyix
Doubts in the pmemaccess command in QEMU v5.1 and PANDA v1.0
I apologize if I put my question here in PANDA v1.0, as I was hesitant to put it in the new PANDA v2.0.
I am experimenting with your pmemaccess plugin, it is super interesting, since it exposes the physical memory of a guest VM through a linux socket.
According to what I read, once the connection is made through the socket, you can use the socket in whatever you want, I want to see the life memory of a guest VM. I used the plugin pmemaccess, in the command line of qemu-systemx86_64 ... -panda pmemaccess:path=/tmp/socket1,mode=0 (or I change it to mode 1), as through the console of it. What I did was occupy the volatility (example: volatility sockets -f socket1), I did not specify any profile, I just want it to be able to "open communication" with the socket, once I did it, both in volatility and In the QEMU-PANDA console it sends me the message that it is connected. Once I verify that the console tells me that the communication is already done, I open another terminal and use the socat to see how the data flows, through the socket (example: socat -t100 -x -v UNIX-LISTEN:/path/to/sock,mode=777,reuseaddr,fork UNIX-CONNECT:/path/to/sock.original).
And according to, you should see the data flow, but, nothing happens, it does not send me any message. Literally, it does not send me anything, only the cursor blinks, I did the test with an Arch ISO image, then I used an image with windows 7 64 bits. And again nothing.
I also comment, that in addition, I put that same complement in the QEMU v5.1.0 and the result is the same, I create the socket in the qemu console, I link it with the volatility and nothing.
I occupy a sony vaio i5, 8 gigs of memory Kali 2020.3 64 bits.
I hope you can help me to see if it is possible to see the guest's memory live.
Thanks for your time and advice in advance.
I had forgotten to tell you that it is the first time that I use sockets in Linux. Thank you