Wenzel/r2vmi

This repository has been archived on 17/Nov/2021
Stars
131
Rank 275,867 (Top 6 %)
Language
C
License
GNU Affero Genera...
Created over 6 years ago
Updated almost 6 years ago

Wenzel/r2vmi

Wenzel

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins

r2vmi

Radare2 VMI IO and debugger plugins.

These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.

Based on Libvmi to access the VM memory and listen on hardware events.

Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:

https://github.com/Wenzel/pyvmidbg

What works:

Intercept a process by name/PID (at CR3 load)
Read the registers
Single-step the process execution
Set breakpoints
- software
- hardware (based on memory access permissions, page must be mapped)
Load Kernel symbols

Demo

High quality link

The following demonstrate how r2vmi:

intercepts explorer.exe process
sets a software breakpoint on NtOpenKey
how the breakpoint is hit (ignoring hits by not targeted processes)
using radare2 to disassemble NtOpenFile's function
singlestep the execution
opening a Rekall shell usin the VMIAddressSpace to work on the VM's physical memory
running pslist plugin
running dlllist plugin and selecting a random DLL's base address
seeking there in radare2 and displaying the MZ header

Requirements

Xen 4.6
pkg-config
libvmi
radare2

Setup

An complete installation guide is available on the Wiki

Usage

You need a virtual machine configured on top of Xen, and a process name/pid to intercept

$ r2 -d vmi://<vm_name>:<name/pid>

Example:

$ r2 -d vmi://win7:firefox

awesome-virtualization

Collection of resources about Virtualization

checksec.py

Checksec tool in Python, Rich output. Based on LIEF

pyvmidbg

LibVMI-based debug server, implemented in Python. Building a guest aware, stealth and agentless full-system debugger

libmicrovmi

A cross-platform unified Virtual Machine Introspection API library

osw-fs-windows

A git history of Windows filesystems

oswatcher

A framework to track the evolution of Operating Systems over time

docker-kdesrc-build

Dockerfiles to compile KDE source code into Docker with kdesrc-build script

vid-sys

Rust unsafe bindings for Vid API (Hyper-V)

libsysinfo

Extracts information about running processes and network connections from the virtual filesystem /proc

protonvpn-nm-import

Script to import ProtonVPN configuration files into NetworkManager automatically

linux-sysinternals

packer-templates-winxp

kvm-vmi

KVM-based Virtual Machine Introspection

kvmi

Rust bindings to KVM's introspection libkvmi library

vagrant-xen-pyvmidbg

Vagrant box to work on pyvmidbg project

xenctrl

CNAF

Source code used by the French CNAF (Caisse Nationale des Allocations Familiales)

packer-templates

My packer templates

fdp

Rust bindings on FDP (Fast Debugging Protocol) VirtualBox introspection library

xenstore

Rust bindings to Xenstore

libvmi-rs

Rust reimplementation of LibVMI

protonvpn-vm

Preconfigured ProtonVPN setup in a virtual machine

docker-gui-app

Summary of the techniques available to run gui applications inside docker

packer-flare

Packer templates to build your FLARE VM from scratch

windows_internals

kvm

Fork of KVM with Virtual Machine Introspection patch

xenevtchn

Rust bindings to xenevtchn library

cmake_template_cpp

A simple C++ project template based on CMake

nitro

KVM-based Virtual Machine Introspection

vagrant-icebox

A vagrant environment to develop Icebox and VirtualBox VMI

unbound-formula

Install and configure the Unbound DNS server

libksysguard

Fork of libksysguard

web_monitor

test-formula

A docker container to quickly test a SaltStack formula

testdbus

kdesrc-build.py

An attempt to rewrite the KDE build system into Python

doxify

Quick C++ source code documentation generator based on doxygen.

wikimedia-phabricator-tools

Fork of https://gerrit.wikimedia.org/r/phabricator/tools

xenvmevent-sys

Rust unsafe bindings for Xen VM event definitions

kdesrc-build-genconf

bug_pyfakefs

No such file or directory in the fake filesystem: b'/tmp'

kde-build-metadata

Fork of the kde-build-metadata KDE repository

pandoc_template

A template to generate reports with Pandoc

wenzel.github.io

https://wenzel.github.io

vagrant-xen-r2vmi

Vagrant box to work on r2vmi project

salt-oneshot

A quick wrapper around SaltStack to quickly test and deploy a system configuration without having to set-up a Salt Master server.

procexp_helper

bug_pyspy

kcm_template_qml

docker-owncloud

Dockerfile to configure and deploy Owncloud with a simplified configuration based on SaltStack

bug_report

A repo to store reproducible code for bug reports

vagrant-xen

A set of Vagrant boxes to install and test the Xen hypervisor

fdp-sys

Rust unsafe bindings on FDP (Fast Debugging Protocol) library for VirtualBox Introspection

xenforeignmemory

Safe Rust bindings to xenforeignmemory

checksec.py-test-binaries

Test binaries for checksec.py

test_bug_actions

https://bugzilla.mozilla.org/show_bug.cgi?id=1622455

kmonitor

A new system monitor for KDE

xenevtchn-sys

Rust bindings for xenevtchn library

kvmi-sys

Rust bindings for KVM's introspection libkvmi library