Find/Extract processes, hypervisors (including nested) in memory dumps using microarchitechture independent Virtual Machiene Introspection techniques

Download as .zip Download as .tar.gz View on GitHub

Expanding on process detection into microarchitecture independent hypervisor introspection. The aim of is to provide some very high performance, high assurance interfaces to work with physical memory dumps. Isolation and extraction of process memory, including recursive introspection of VM/hypervisors that may be running.


Quickdumps is a demo of the API. A small tool to rapidly extract everything it can see into a sensible directory hierarchy.


See CanSecWest presentation on page table detection or DC22. I added a lost of the VM introspection stuff lately for Ruxcon.


Cryptographically secure integrity verification of known memory pages to greatly reduce the proportion of possibly malicious resident code.

Authors and Contributors

You can try to contact @ShaneK2 or feel free to make a bug/feature request.

Support or Contact

Eventually some documentation will be setup documentation