Shehu Awwal

VMWare Snapshot to Memory Dump: A Stepby-Step Guide

Vmware · Vmware

2 minutes

February 8, 2025

We are going to take a look at how to convert a vmware snapshot into a memory dump, The question might be why do we need to convert a snapshop into a memory dump, there are different reasons, One of the reason might be forensic or malware analysis.

Some malware resides in the memory and leaves no traces on disk, And mostly by malware analyst they used it by identifying the malicious code or processes in the memory at the time.

In other to convert a vmware snapshot you need vmss2core

vmss2core is a utility provided by VMware that converts VMware snapshot files (.vmsn or .vmss) and memory files (.vmem) into a core dump format (e.g., .dmp or .core). This tool is particularly useful for debugging and analyzing virtual machines (VMs) that have been paused, suspended, or snapshotted.

If you have a Vmware Workstation or Vmware Fusion installed on your computer either Windows or MacOS, it can be located here:

Windows (32bit versions) – C:\Program Files\VMware\VMware Workstation\
Windows (64bit versions) - C:\Program Files(x86)\VMware\VMware Workstation\
Mac OS – /Library/Application Support/VMware Fusion/

If you cant find it or you dont have it installed you can download it for Windows, MacOS, or Linux.

vmss2core can be downloaded from here:

Take a VMware Snapshot

  • In Vmware ESXI/Vsphere
    • Select VM > Right Click > Snapshots > Take Snapshots > Check ( Snapshot the virtual machine’s memory. )

Locating The Snapshot Files

Option 1:

In esxi > storage > Datastore browser > choose the disk where the vm is located > select the vm > download the file with .vmem and .vmsn

Option 2:

ssh into the esxi host

cd /vmfs/volumes/{data store name}/{vm name}
eg
cd /vmfs/volumes/disk-four/ubuntu-24-10

From the above, we are interested in 2 files vmsn and vmem, which are

  • vmsn: This is a snapshot state file that is created when you take a snapshot of a virtual machine (VM). Snapshots are a feature in VMware that allow you to capture the state of a VM at a specific point in time, including its memory, disk, and settings

  • vmem: This file contains a raw copy of the VM’s memory (RAM) at the time it was created.

The vmem contains large amount of disk, looking at the file above is about 1Gb, bceause this contains entire contents of the vm ram.


Comments: