volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Generic: Add vmscan plugin

Open ikelos opened this issue 1 year ago • 1 comments

Adds in a vmscan plugin that will search for a VMCS structure using profile information (currently profiles only exist for skylake and haswell architectures, but more can be added). After we've found the VMCS location, we can determine the page table and load a layer on top of it, but we'll need to figure out how to then let people run plugins against those virtual images. Probably by a config, but the config system may need rejigging to support partial information (layer) without an prepopulated module or symbol table...

Doesn't need everyone to review it, just not sure who's got the most knowledge of VMCS or Intel VT-d...

ikelos avatar May 20 '24 19:05 ikelos

Interesting! Looks like it would close off this issue if merged https://github.com/volatilityfoundation/volatility3/issues/464

eve-mem avatar May 20 '24 20:05 eve-mem