VMware vSphere

Hello,

The security team ask us to find a way to dump ESX memory for forensic analysis while running.

• OK for Virtual Machines memory with snapshot and extracting the vmem file
• OK for Core dump (purple screen) with the diagnostic partition or collector

But is there a way or tool to dump esxi host memory on a running esxi ?

Thanks for your ideas.

Regards, David.  

Hi,
I haven't done this myself, but there's usually a KB for just about everything.
Here's one that might help:
https://knowledge.broadcom.com/external/article/340041/generating-live-core-dump-for-esxi-host.html

Hello,

The security team ask us to find a way to dump ESX memory for forensic analysis while running.

• OK for Virtual Machines memory with snapshot and extracting the vmem file
• OK for Core dump (purple screen) with the diagnostic partition or collector

But is there a way or tool to dump esxi host memory on a running esxi ?

Thanks for your ideas.

Regards, David.  

Hi,

Thank you for your answer.

Your article is very good and is a first step. We can dump process memory like hostd or kernel, but I think the security team want to capture the whole memory (like winpmem or linpmem).

I don't find anything about capturing the esx memory (to list all process running on a compromised esxi after the capture per exemple).

Regards, David.

Hi,
I haven't done this myself, but there's usually a KB for just about everything.
Here's one that might help:
https://knowledge.broadcom.com/external/article/340041/generating-live-core-dump-for-esxi-host.html

Hello,

The security team ask us to find a way to dump ESX memory for forensic analysis while running.

• OK for Virtual Machines memory with snapshot and extracting the vmem file
• OK for Core dump (purple screen) with the diagnostic partition or collector

But is there a way or tool to dump esxi host memory on a running esxi ?

Thanks for your ideas.

Regards, David.  

As per my knowledge, there is no officially supported way to dump the entire esxi host memory live (without a crash) using VMware's native tools, because esxi is a closed source, bare metal hypervisor, and live memory access is restricted for security and stability purposes. However, there are advanced methods that can capture live memory from a running esxi host, but I think they are not officially supported or safe for production and could be risky.

Winpmem is for windows to capture full physical ram from live windows systems.

Linpmem is for linux to capture full physical ram from live Linux systems, they are not used for dumping esxi host memory, they are relevant for virtual machines running windows or linux on top of ESXi when you want to capture their memory without suspending them.

If you want to dump windows vm memory running on esxi, use winpmem.exe inside the vm

Or if you want to dump linux vm memory running on esxi then use linpmem inside the vm.

You can use esxi native tool to dump the memory of an esxi host.

Thanks

Hi,

Thank you for your answer.

Your article is very good and is a first step. We can dump process memory like hostd or kernel, but I think the security team want to capture the whole memory (like winpmem or linpmem).

I don't find anything about capturing the esx memory (to list all process running on a compromised esxi after the capture per exemple).

Regards, David.

Hi,
I haven't done this myself, but there's usually a KB for just about everything.
Here's one that might help:
https://knowledge.broadcom.com/external/article/340041/generating-live-core-dump-for-esxi-host.html

Hello,

The security team ask us to find a way to dump ESX memory for forensic analysis while running.

• OK for Virtual Machines memory with snapshot and extracting the vmem file
• OK for Core dump (purple screen) with the diagnostic partition or collector

But is there a way or tool to dump esxi host memory on a running esxi ?

Thanks for your ideas.

Regards, David.