Is there a reasonable method of taking a snapshot of memory and cpu state? I have a method of rolling back the disk, but am wondering if I could revert memory as well.
From what I understand, the hibernate functionality might be able to do this for me. Is there a way I can save the state to hiberfil.sys without actually shutting the machine down? I want to be able to reuse the state stored in hiberfil.sys multiple times in the future.
Thanks,
Kayle
The answer depends on what are you trying to implement. Are you looking
to do something like quiesce the system in a virtual environment, or
perhaps some sort of debugger?
mm
xxxxx@umich.edu wrote:
Is there a reasonable method of taking a snapshot of memory and cpu state? I have a method of rolling back the disk, but am wondering if I could revert memory as well.
From what I understand, the hibernate functionality might be able to do this for me. Is there a way I can save the state to hiberfil.sys without actually shutting the machine down? I want to be able to reuse the state stored in hiberfil.sys multiple times in the future.
Thanks,
Kayle
I’m trying to implement a method of taking a snapshot of the system in a known valid state. It will then be allowed to execute arbitrary malware/malicious code. After monitoring the system for some time period, I’d like to be able to revert back to the valid state, do some analysis, and then repeat the process.
Implement own or use existing?
I guess VMware snapshots are exactly what you want. Just don’t forget to
set networking in the VM correctly so the malware doesn’t escape from
the VM 
You can turn it off or create pure virtual network from
several VMs to examine how malware behaves in networking environment.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@umich.edu
Sent: Tuesday, February 12, 2008 2:30 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to take a snapshot of system state in xpI’m trying to implement a method of taking a snapshot of the
system in a known valid state. It will then be allowed to
execute arbitrary malware/malicious code. After monitoring
the system for some time period, I’d like to be able to
revert back to the valid state, do some analysis, and then
repeat the process.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
One of the goals is to compare results with vmware. The problem is that I’m trying to avoid being detected by the methods used to fingerprint virtual machines. Otherwise, the functionality is almost exactly what I’m trying to duplicate.
> am wondering if I could revert memory as well.
Strictly speaking, no, unless you run under the control of hypervisor. Why not??? Simply because the process of saving memory will require memory modifications if it gets done by the target OS itself. Therefore, the OS has to delegate the process of saving its state to some other party that can handle the job without modifying the memory that has to be saved. Earlier you have mentioned hibernation. Strictly speaking, it is not equivalent to saving the machine state as a snapshot - when the target machine wakes up, its restored state is not exactly the same it
used to be in at the time snapshot was taken…
Anton Bassov