Python libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW Examples

The following are 5 code examples of libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module libvirt , or try the search function .
Example #1
Source File: memdump.py    From nitro with GNU General Public License v3.0 6 votes vote down vote up
def main(args):
    vm_name = args['<vm_name>']
    # get domain from libvirt
    con = libvirt.open('qemu:///system')
    domain = con.lookupByName(vm_name)

    path = os.path.join(os.getcwd(), '{}.raw'.format(vm_name))
    with open(path, 'w') as f:
        # chmod to be r/w by everyone
        os.chmod(path, stat.S_IRUSR | stat.S_IWUSR |
                                stat.S_IRGRP | stat.S_IWGRP |
                                stat.S_IROTH | stat.S_IWOTH)
        # take a ram dump
        flags = libvirt.VIR_DUMP_MEMORY_ONLY
        dumpformat = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW
        domain.coreDumpWithFormat(path, dumpformat, flags) 
Example #2
Source File: memory.py    From oswatcher with GNU General Public License v3.0 6 votes vote down vote up
def dump_memory(self, event):
        # take temporary memory dump
        # we need to create our own tmp_dir
        # otherwise the dumpfile will be owned by libvirt
        # and we don't have the permission to remove it in /tmp
        with TemporaryDirectory() as tmp_dir:
            with NamedTemporaryFile(dir=tmp_dir, delete=not self.keep_dump) as ram_dump:
                # chmod to be r/w by everyone
                # before libvirt takes ownership
                os.chmod(ram_dump.name,
                         stat.S_IRUSR | stat.S_IWUSR
                         | stat.S_IRGRP | stat.S_IWGRP
                         | stat.S_IROTH | stat.S_IWOTH)
                # take dump
                self.logger.info('Dumping %s physical memory to %s',
                                 self.context.domain.name(), ram_dump.name)
                flags = libvirt.VIR_DUMP_MEMORY_ONLY
                dumpformat = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW
                self.context.domain.coreDumpWithFormat(ram_dump.name, dumpformat, flags)
                # trigger event
                self.context.trigger('memory_dumped', memdump_path=ram_dump.name)
                if self.keep_dump:
                    self.logger.info("Keeping memory dump at %s", self.keep_dump_path)
                    shutil.move(ram_dump.name, str(self.keep_dump_path)) 
Example #3
Source File: memory.py    From see with Apache License 2.0 5 votes vote down vote up
def memory_snapshot(context, memory_dump_path, compress):
    # fix issue with libvirt's API
    open(memory_dump_path, 'a').close()  # touch file to set permissions

    dump_flag = libvirt.VIR_DUMP_MEMORY_ONLY
    if compress:
        dump_format = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_KDUMP_ZLIB
    else:
        dump_format = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW

    context.domain.coreDumpWithFormat(memory_dump_path, dump_format, dump_flag) 
Example #4
Source File: memory.py    From CompSec with MIT License 5 votes vote down vote up
def memory_snapshot(context, memory_dump_path, compress):
    # fix issue with libvirt's API
    open(memory_dump_path, 'a').close()  # touch file to set permissions

    dump_flag = libvirt.VIR_DUMP_MEMORY_ONLY
    if compress:
        dump_format = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_KDUMP_ZLIB
    else:
        dump_format = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW

    context.domain.coreDumpWithFormat(memory_dump_path, dump_format, dump_flag) 
Example #5
Source File: backend.py    From nitro with GNU General Public License v3.0 4 votes vote down vote up
def load_symbols(self):
        # we need to put the ram dump in our own directory
        # because otherwise it will be created in /tmp
        # and later owned by root
        with TemporaryDirectory() as tmp_dir:
            with NamedTemporaryFile(dir=tmp_dir) as ram_dump:
                # chmod to be r/w by everyone
                os.chmod(ram_dump.name,
                         stat.S_IRUSR | stat.S_IWUSR |
                         stat.S_IRGRP | stat.S_IWGRP |
                         stat.S_IROTH | stat.S_IWOTH)
                # take a ram dump
                logging.info('Dumping physical memory to %s', ram_dump.name)
                flags = libvirt.VIR_DUMP_MEMORY_ONLY
                dumpformat = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW
                self.domain.coreDumpWithFormat(ram_dump.name, dumpformat, flags)
                # build symbols.py absolute path
                script_dir = os.path.dirname(os.path.realpath(__file__))
                symbols_script_path = os.path.join(script_dir,
                                                   GETSYMBOLS_SCRIPT)
                # call rekall on ram dump
                logging.info('Extracting symbols with Rekall')
                python2 = shutil.which('python2')
                symbols_process = [python2, symbols_script_path, ram_dump.name]
                output = subprocess.check_output(symbols_process)
        logging.info('Loading symbols')
        # load output as json
        symbols = json.loads(output.decode('utf-8'))
        # load ssdt entries
        nt_ssdt = {'ServiceTable': {}, 'ArgumentTable': {}}
        win32k_ssdt = {'ServiceTable': {}, 'ArgumentTable': {}}
        self.sdt = [nt_ssdt, win32k_ssdt]
        cur_ssdt = None
        for e in symbols['syscall_table']:
            if isinstance(e, list) and e[0] == 'r':
                if e[1]["divider"] is not None:
                    # new table
                    m = re.match(r'Table ([0-9]) @ .*', e[1]["divider"])
                    idx = int(m.group(1))
                    cur_ssdt = self.sdt[idx]['ServiceTable']
                else:
                    entry = e[1]["entry"]
                    full_name = e[1]["symbol"]["symbol"]
                    # add entry  to our current ssdt
                    cur_ssdt[entry] = full_name
        # save rekall symbols
        self.symbols = symbols