From Collaborative RCE Tool Library

Jump to: navigation, search

Compare VMware Snapshots

Tool name: Compare VMware Snapshots
Rating: 0.0 (0 votes)
Author: ZaiRoN                        
Current version: 1.0
Last updated: September 19, 2007
Direct D/L link: Locally archived copy
License type: Free
Description: Nowadays there’s a big use of virtualization; tools like VMware, VirtualPC and others are daily used. There are some differencies between the original and the virtualized environment, but to study a malware under a protected blackbox it’s very comfortable. You can study their behaviour without any problems.

Just today, while I was running a malware, I got this foolish idea: can I identify hidden files using VMware’s snapshots?

Under VMware you can save the current state of a virtual machine taking a snapshot of the running guest system. The snapshot is stored somewhere in the guest’s OS folder, it simply needs some files. I’m interestered in one file only, the one containing the guest’s memory. The memory is saved inside a file with .vmem extension.

The idea is to take two snapshots (a virgin and an infected system), and then compare the two files. The main problem is that a single snapshot needs a large amounts of bytes, around 260 Mb on my system. Comparing the snapshots using an hex editor is madness. I decided to write a simple application able to compare two files string to string. Why only strings?
Well, how can I identify an hidden file simply looking at a “memory dump”? The answer is simple: the only thing able to reveal a trace is a string containing the name of the hidden file, nothing more. So, I extract all the strings from the virgin snapshot and then I compare them with all the strings from the infected snapshot. Yes, it’s a foolish idea but it helps me to pass a boring afternoon.

The most important part of the program is the internal “search engine”. To speed up the program you have to search for specific strings. To view the results in a quick way I simply search for strings with extension “.sys”, “.dll” or just “.exe”. That’s because these are the file extensions of the files that are always hidden. You can improve the search engine adding some more rules (i.e. string must have “system32″ or “windows” inside) but the result won’t change: you can always see some interesting strings.

I tried the program running two malwares: Lager and Nailuj.
Lager malware hides a file named taskdir.exe and Nailuj hides videoati0.sys/dll/exe.
In both cases, I can see some strings referring to the hidden files.

The string is somewhere in the memory, I’m not interested in its position but in the string itself: it exists!

There are some good tools out there able to show hidden files but sometimes they fail. When they fail you can try with this approach.
Related URLs:
Release blog entry:

Screenshot of Compare VMware Snapshots

RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!

If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)

Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Binary Diff Tools  (7)
   Image Diff Tools  (2)
   System Diff Tools  (5)
   Text Diff Tools  (6)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (23)
   Needs New Category  (3)