Question: How to get the total running time of the VM in pyrebox?

Question

Question: How to get the total running time of the VM in pyrebox?

hustWang opened this issue 6 years ago · 5 comments

Hi pyrebox developers,
The script which is loaded in pyrebox needs to get the initial time of the VM in the beginning, and then get the current VM time every time the callback function is called. When the time difference between the current time minus the initial time reaches the set maximum time, the callback function is removed.
But If the time library in python is called, we will get the runtime of the script instead of the running time of the VM. So I would like to ask if there is a way to get the total running time of the VM?
Best regards.

Answer 1 · 2018-10-17T16:18:27.000Z

Hi hustWang,

I have just added (commit b332a7b) a function in the api to retrieve the system time of the running guest (for windows systems). If you would need an implementation for Linux systems as well, let me know.

I am leaving this issue opened so that I keep track of the status for Linux support.

Windows support
Linux support

Hope that helps,

Xabier

Answer 2 · 2018-10-19T02:48:36.000Z

Hi,

Thank you for your fast support, my VM is Windows XP and the get_system_time function worked. The only problem is that the VM is stuck and I can't move my mouse at all through VNC viewer. Like I said before, I use a block_end callback function to get the current VM time and compare to the initial time, in order to do some analysis every 10s. However, the time provided by get_system_time() is different from the time shown in the lower right corner of Windows VM and the former keeps moving forward as long as my script is running, the latter is stuck at 10:34 forever. Why would that happened?

Answer 3 · 2018-10-19T06:00:50.000Z

Hi hustWang,

That is likely because your call to get_system_time() is introducing too much overhead, given you are doing it on every "block_end". Every time you call that function, the volatility runtime is used to inspect kernel memory. One thing you may want to do, is, let's say, call it every 1k blocks, or 10k blocks, etc. Also, be aware that block end will be called quite frequently, so ideally you should think about creating a simple trigger to filter out calls if there is some simple logic you can implement easily in C/C++. You can check the generic_unpacker plugin as an example.

Answer 4 · 2018-10-19T06:46:19.000Z

Ok, I get it, thank you so much :D

Answer 5 · 2018-10-19T06:50:08.000Z

No problem! I am closing this issue. Please reopen it if necessary.