____ ,-.----.
,' , `. ,----.. ,-.----. ,---, \ / \
,---. ,-+-,.' _ | / / \ \ / \ ' .' \ | : \
/__./| ,-+-. ; , ||| : : ; : \ / ; '. | | .\ :
,---.; ; | ,--.'|' | ;|. | ;. / | | .\ : : : \ . : |: |
/___/ \ | || | ,', | ':. ; /--` . : |: | : | /\ \ | | \ :
\ ; \ ' || | / | | ||; | ; __ | | \ : | : ' ;. : | : . /
\ \ \: |' | : | : |,| : |.' .'| : . / | | ;/ \ \; | |`-'
; \ ' .; . | ; |--' . | '_.' :; | | \ ' : | \ \ ,'| | ;
\ \ '| : | | , ' ; : \ || | ;\ \| | ' '--' : ' |
\ ` ;| : ' |/ ' | '/ .': ' | \.'| : : : : :
: \ |; | |`-' | : / : : :-' | | ,' | | :
'---" | ;/ \ \ .' | |.' `--'' `---'.|
'---' `---` `---' `---`
VMgrab — VM memory dump validator
OffSec tool to validate VM memory encryption and confidential computing enablement.
Use for authorised penetration tests and security assessments only.
[!] AUTHORIZED TESTING ONLY — Run only against systems you own or have explicit written permission to test.
(c) 2025 enclaive.io | Repo: https://github.com/enclaive/vmgrab | License: MIT
🎯 Attacking VM: neo4j-vm1
📥 [1/3] Dumping memory...
━━━━━━━━━━━━━━━━━━━━━━━━ 100% | 4.2 GB
🔍 [2/3] Searching for pattern: 117-66-8129
Found at offset 0x2a4f8000:
...NHS:117-66-8129,Name:John Smith...
✅ Result: VULNERABLE - Sensitive data exposed!
Standard virtual machines expose plaintext code and data in guest RAM. Confidential VMs (e.g., AMD SEV-SNP, Intel TDX) aim to keep guest memory encrypted at runtime and to minimize the hypervisor/host attack surface. VMgrab is an offensive security tool for technical assessors that automates VM memory acquisition techniques and produces forensic artifacts and test vectors to evaluate whether confidentiality guarantees hold in practice. It is designed for use by pentesters, red-teamers, auditors and incident responders to empirically validate encryption/attestation behaviour, identify implementation gaps, and document reproducible findings.
Virtual machines expose volatile guest state — code, secrets and runtime data — in RAM. Confidential VM technologies (notably AMD SEV-SNP and Intel TDX) provide runtime memory encryption and associated attestation mechanisms to constrain host/hypervisor visibility. VMgrab is an offensive engineering toolset that:
- automates controlled VM memory acquisition using host-level acquisition vectors common to cloud and on-prem hypervisors;
- produces canonical memory dumps and audit artifacts for repeatable analysis;
- exercises and verifies confidentiality and attestation assertions (e.g., whether pages remain encrypted at rest/in transit, whether firmware/host components leak guest plaintext, and how guest keys/TEEs are managed);
- helps quantify real-world attack surface and implementation gaps in SEV/TDX deployments, and generates evidence suitable for technical reports and remediation planning.
Intended audience:
- experienced offensive security engineers
- forensic analysts
- systems architects performing authorized security assessments
Use Cases:
- Security research and penetration testing
- Confidential computing demonstrations
- Educational workshops on memory encryption
- Compliance audits (proving data protection)
Important note: Use only on assets for which you have explicit written permission.
- Multi-backend memory dump support:
procmem— Universal/proc/pid/membased dump (works on any hypervisor, including Kata Containers)libvirt— virsh-based dump for libvirt-managed VMsqemu— Direct QMP socket communication
- Search memory dumps for sensitive data (NHS numbers, SSNs, emails, etc.)
- Compare classical VMs vs confidential VMs (cVMs with memory encryption)
- Automatic SEV-SNP/SEV/TDX detection from QEMU command line
- Run automated attacks against the enclave
- Linux host OS with KVM/QEMU
sudoprivileges (for/proc/pid/memaccess)- Go 1.22+ (for building from source)
- Optional:
virshfor libvirt backend
# Build using Makefile (recommended - includes version info)
make build
# The binary will be in bin/vmgrab
./bin/vmgrab --version
# Or install to /usr/local/bin
make install
# Or build manually
go build -o bin/vmgrabCreate a .vmgrab.yaml config file for custom settings:
./bin/vmgrab config initSee .vmgrab.yaml.example for configuration options.
list- List all VMs with security status (SEV-SNP vs Vulnerable)dump- Dump VM memory to filesearch- Search memory dump for patterns (regex supported)attack- Complete attack demo on single VM (dump + search + cleanup)demo- Full automated demonstration comparing standard vs confidential VMsdisk-search- Search VM disk files from host (proves LUKS encryption)config- Manage configuration (init, show, validate)
# List all VMs with security status
./bin/vmgrab list
# Dump VM memory (auto-selects best backend: procmem)
sudo ./bin/vmgrab dump <vm-name> -o /tmp
# Force specific backend
sudo ./bin/vmgrab dump <vm-name> -o /tmp --backend procmem
sudo ./bin/vmgrab dump <vm-name> -o /tmp --backend libvirt
# Search memory dump for patterns
./bin/vmgrab search /tmp/<vm-name>-*.dump "password"
./bin/vmgrab search /tmp/<vm-name>-*.dump "123-45-6789"
# Run complete attack on single VM
sudo ./bin/vmgrab attack <vm-name> --pattern "sensitive-data"
# Run full demo (standard VM vs confidential VM)
sudo ./bin/vmgrab demo| Backend | Method | Best For |
|---|---|---|
procmem (default) |
/proc/pid/mem |
Universal - works everywhere including Kata |
libvirt |
virsh dump --memory-only |
libvirt-managed VMs |
qemu |
QMP dump-guest-memory |
Direct QEMU access |
The default backend is procmem as it works on any Linux system with QEMU processes, including:
- Standard libvirt VMs
- Kata Containers (where QMP socket is occupied by runtime)
- Any direct QEMU process