I have modified the QEMU v5.1 by adding the command pmemaccess of the version of the PANDA v1.0 of moyix, that command serves to expose the memory of a VM through a domain socket, and together with volatility, both are used to see live the guest memory of a VM.
And my question is: has anyone worked? It creates the socket for me, and when I use it with volatility, it sends me the message that it is already connected. Then I use the socat to see how the data should flow in the socket, but nothing happens, I have tried several images of windows and linux and it is the same, nothing happens.
Also, I comment that, thinking that what I did was wrong, I downloaded PANDA V1.0, build it and run it, and when doing all of the above, it is the same, nothing happens.
I have tried with ss to see the sockets, and if the socket is there, but, I don't see that it goes through that socket.
This I did in KALI 2020.3, on a sony vaio i5, 8g memory.
That is my question, if someone has done it and it has worked for them.
In the version of PANDA V2.0, they no longer include that command.
Regards!!!
What I have tried:
I have tried on KALI, DEBIAN, SUSE, FEDORA
Submit an article or tip