Hi, I'm writing/extending a little tool (courtesy of Andrew @pikewerks) that dumps the RAM pages from a savevm file to a raw memory dump file so that it can be analysed using tools that require a raw dump as input.
I can successfully locate and extract the pages and write them out to file. This seems to work for smaller VMs but when the memory size of a VM approaches 3.5 GB, things start to break, i.e., the analysis tool (volatility in this case) trips over the file. I believe this is because of PCI devices that are memory mapped below the 4GB memory mark which my tool doesn't account for at the moment. In other words, my tool puts all the pages in consecutive order without leaving 'holes' for the memory mapped devices. Question: is the information where the holes are and what the 'real' page offsets are in the savevm file or how could I gather that info? Any help is greatly appreciated. Thanks ...Juerg
