Device_LiveCloudKd

Memory Acquisition Method: LiveCloudKd

The LeechCore library with LiveCoudKd additions supports reading live Hyper-V Guest VM memory from the Hyper-V host at very high speeds.

Facts in short:

Is supported on 64-bit Windows Hyper-V host.
Acquires memory in read/write mode.
Acquired memory is assumed to be volatile.
Have additional requirements (separate download).
Externally contributed plugin by Arthur Khudyaev - @gerhart_x.

The LeechCore/PCILeech/MemProcFS process must be started in elevated administrator mode for LiveCoudKd to be able to capture live memory from Hyper-V guests if running in local (non remote) mode.

If LiveCloudKd does not work on first attempt please try to disable dynamic memory on the virtual machine and retry.

tl;dr;

Download MemProcFS binaries - unzip to directory on Hyper-V host C: drive.
Download LiveCloudKd binaries - unzip to same directory as MemProcFS.
Install the dokany user mode file system (required by MemProcFS).
Run in elevated administrator command prompt: MemProcFS.exe -device hvmm

Connection string:

LeechCore API:

Please specify the acquisition device type in LC_CONFIG.szDevice when calling LcCreate. The acquisition device type is hvmm.

Options:

id=<vm id number> - use specific vm id number instead of asking at startup (if multiple VMs are running).

listvm - list the virtual machines and their ids.

unix - treat the VM as a non-windows machine skipping some checks resulting in faster startup-times.

nvolatile - treat the VM memory as static non-volatile memory (same as dump file). Not recommended for MemProcFS since memory is likely to start to drift and background refreshes will be disabled.

PCILeech / MemProcFS:

Please specify the device type in the -device option to PCIleech/MemProcFS.

Examples:

-device hvmm -remote rpc://<spn>:<somehost>

-device hvmm

-device hvmm://id=3,unix

Requirements:

Depends on LiveCloudKd. Please download the latest version of LiveCloudKd - leechcore_hyperv_plugin.zip from Github. Please unzip the contents i.e. hvmm.sys, leechcore_device_hvmm.dll and hvlib.dll into the directory where leechcore.dll resides (usually alongside pcileech.exe / MemProcFS.exe).

Please note that MemProcFS also have a separate dependency on the dokany user mode file system (documented in MemProcFS project).

Example:

The below example shows a user starting MemProcFS, from an elevated administrative command prompt, by running MemProcFS.exe -device hvmm. LiveCloudKd will load the hvmm.sys driver into the kernel - querying which Hyper-V Guest VMs that may be selected. The user selects a Guest VM and is then able to access the guest virtual memory in the MemProcFS file system.

Please note that the slow copying speed (179MB/s) in the below example is related to a slow target disk - not LiveCloudKd.

Additional Notes:

Thanks to Arthur Khudyaev - @gerhart_x for making this possible. LiveCloudKd: https://github.com/gerhart01/LiveCloudKd

LiveCloudKd is stable and well tested on various Hyper-V hosts, such as Windows Server 2019 and 2022.

LiveCloudKd is supported by LeechCore/PCILeech/MemProcFS an external plugin and is not directly related LeechCore/PCILeech/MemProcFS.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖