Tuesday, August 29, 2006

LiveView

Ever wondered what was going on with a system while it was running? Have you ever been looking at an image in your analysis-tool-of-choice and thought that you'd get a lot more info if you could only boot this puppy?

Now, you can do that...well, at least for Windows systems. Check out LiveView, a Java-based tool from CMU that promises to let you boot your system image in VMWare. It looks very interesting, and I'm itching to give it a try.

If you do decide to try it out, remember this...send feedback in to the guys who produced the tool. Telling them it doesn't work isn't very useful; instead, give them as much information as you can, so that they can improve the tool and make it more useful to everyone.

Addendum: I downloaded an installed LiveView, and everything went pretty smooth. The Java Runtime Environment (JRE) 5.0 was installed, as was the VMWare DiskMount utility. I happen to have an image available that I downloaded, so I ran LiveView and pointed it toward the image, accepting most of the defaults in the UI. I opted to have the resulting VM automatically run, and interestingly enough, it started right up! This is somewhat different from Richard's experience, but I didn't have any binaries that had been modified. I'm using VMWare Workstation 5.5.2, so I let the VM go through it's "found new hardware" shenanigans, and then installed the VMWare Tools. I then rebooted the image and updated the display settings. The image I'm working with is an XP system that seem to have been set with no password. I'll need to see how effective the NTPasswd disk is on systems like this. Either way...it's very cool. I can see what the running system looked like, and I can snapshot the system prior to installing tools or performing any analysis on it. In the end, I still have the dd image, as well.

Oops! Okay, I wanted to see if I could, in fact, snapshot the VM I was running, and the choices were greyed out on the menu bar. So I figured I would suspend the VM, and then see what's going on in the resulting .vmem file. I chose Suspend...and VMWare bombed. I restarted the VM and tried it again, and was able to get it to work, although it didn't seem to go as smoothly as a "normal" VM session does. Anyway, I got the .vmem file I was looking for, and it's about the right size. Now I have something to work with and run my tools against.

Word of warning...I wasn't able to modify the settings on the VM session, such as increase RAM from 256 MB to 512 MB. This is something to think about if you're setting up a system this way.