> > Can you explain again why the existing commands to read guest memory > (from the top of my head: dump-guest-memory, memsave, pmemsave) are > insufficient? How does your solution improve on them? What exactly can > it do what these commands can't? What exactly can't it do what these > commands can? > > I feel we need to understand the answers to these questions to sensibly > evolve the API in this area.
Certainly. The main issue with this series of commands is that they dump the memory to a file on disk. What I'm trying to facilitate here is an application that monitors the guest memory in real time while the guest is running (likely with brief pauses during memory analysis periods). Writing all of this data to disk, and then reading it back again for the analysis application is several orders of magnitude too slow for these types of applications. This new method that I'm proposing here keeps everything in memory, which makes it much faster. Tldr; existing solutions are suitable for forensic analysis, whereas I'm looking to solve the runtime analysis problem. -bryan
