• Stars
    star
    178
  • Rank 214,989 (Top 5 %)
  • Language
    C
  • Created over 13 years ago
  • Updated over 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

a bare metal (type 1) VMM (hypervisor) with a python remote control API

What is Ramooflax ?

Ramooflax is a free and open source (GPLv2) virtualization tool.

Ramooflax aims at analyzing/debugging/controlling modern operating systems and complex software pieces as well as real life BIOS running on a physical machine.

Ramooflax provides a small hypervisor and a remote client allowing high-level access to the features implemented into the hypervisor.

On what hardware does it run ?

Ramooflax has been implemented for the PC world. That is Intel and AMD x86 32 and 64 bits.

Ramooflax relies on hardware virtualization extensions (AMD-V and Intel VT-x) that can be found in recent CPUs.

For Intel ones, Ramooflax needs EPT and Unrestricted guest features present since the Westmere microarchitecture. More details can be found on this wikipedia page.

For AMD ones, the only required feature is RVI and can be found into Phenom II CPUs. Some details are given on this wikipedia page.

Ramooflax can run under VMware workstation/fusion using the โ€œvirtualize vm-x/EPTโ€ feature. But you still need a skilled enough CPU.

Notice that you can also run Ramooflax under Bochs 2.4.6.

How does it work ?

Ramooflax starts during the boot process of the machine. It can be seen as the first operating system started by the BIOS.

Once started, Ramooflax will automatically virtualize the running BIOS and all the to be run software pieces.

For instance, if you already have installed an operating system, it will be started as a virtual machine.

Ramooflax is an hypervisor dedicated to only one virtual machine, running in a virtualized environment which is as close as its native environment.

Ramooflax needs to be installed on a bootable storage (ie USB key with GRUB).

Documentation

All documents can be found on the Ramooflax wiki pages.

Software requirements

ramooflax has been compiled/tested using gcc-4.8. The loader is a 32 bits ELF while the setup and vmm kernels are 64 bits ELF.

Under Debian-like systems, the following packages are needed whether you run a 32 or 64 bits OS:

$ sudo apt-get install gcc-4.8 gcc-4.8-multilib make

Limitations

Intel and AMD are both supported. Notice that multi-cores feature is not supported yet, so you will only have one core while running virtualized.

It is recommended to read the documentation.

Obtaining

$ git clone [email protected]:sduverger/ramooflax.git

Configuring

First cleanup everything and call the specific configuration menu to choose your components

$ make distclean config

Under the build menu you will be able to choose from Intel or AMD manufacturer, which control device you want to use, debug device and so on.

For the time being, it is recommended to use NET as controlling device and UART as debugging one.

Building

Once configured you can run

$ make

This will build the loader, setup and vmm binaries.

Installing

$ make install

The installation rules looks for a script named installer.sh. We provide example scripts, located in tools, which update VMware and QEMU virtual disk images. You can define your own one and override the INSTOOL make variable:

make INSTOOL=tools/installer_qemu.sh install

Ramooflax needs a multiboot compliant bootloader (such as GRUB). The following GRUB 1 (legacy) entry can be defined to boot ramooflax:

title  Ramooflax
root   (hd0,0)
kernel /loader.bin
module /setup.bin
module /vmm.bin pool=1234 ip=192.168.0.2 gateway=192.168.0.1 netmask=255.255.255.0

We also provide a disk image creation tool (which needs GRUB legacy), in tools:

sudo ./tools/create_disk.sh ramooflax.img 32M ../grub/ loader/build/loader.bin setup/build/setup.bin vmm/build/vmm.bin 

[+] building disk image (32MB)
[+] create part on disk image
[+] formating disk
[+] mounting disk
[+] copy grub
[+] installing files
[+] configure grub
[+] install grub
[+] unmounting disk

Disk is ready !
- mnt it using : "mount -o loop,offset=512 ramooflax.img /mnt"
- run it using : "qemu -hda ramooflax.img"

The tool builds a GRUB bootable disk image of the given size, with ramooflax as default entry.

Using

You will need python (tested with 2.6.x) to run the client.

EHCI interface

If you use the EHCI Debug device configuration to control the hypervisor from the remote client, you will need a USB debug device on the client side.

You can either buy one or use the DBGP USB Gadget provided into the Linux kernel since the 2.6.36 version.

To be able to use such a Gadget, you need a device USB controller as found in embedded ARM development boards or smartphones.

Please read documentation to have usage examples of the client API.

Network interface

Do not forget to provide Ramooflax network settings on vmm module cmd line into the GRUB configuration entry.

As shown into Installing section, you can provide ip, netmask and gateway options to the vmm module.

Reaching the hypervisor will depend on your setup (real machine, running on a host using VMware, โ€ฆ) for the IP configuration part.

The VMM is listening to UDP port 1337.

More Repositories

1

bincat

Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction, use-after-free and double-free detection
OCaml
1,662
star
2

qemu_blog

A series of posts about QEMU internals:
1,345
star
3

cpu_rec

Recognize cpu instructions in an arbitrary binary file
Python
640
star
4

ilo4_toolbox

Toolbox for HPE iLO4 & iLO5 analysis
Python
412
star
5

warbirdvm

An analysis of the Warbird virtual-machine protection for the CI!g_pStore
Ruby
216
star
6

diffware

An extensively configurable tool providing a summary of the changes between two files or directories, ignoring all the fluff you don't care about.
Python
196
star
7

gustave

GUSTAVE is a fuzzing platform for embedded OS kernels. It is based on QEMU and AFL (and all of its forkserver siblings). It allows to fuzz OS kernels like simple applications.
Python
194
star
8

powersap

Powershell SAP assessment tool
PowerShell
187
star
9

crashos

A tool dedicated to the research of vulnerabilities in hypervisors by creating unusual system configurations.
C
182
star
10

c-compiler-security

Security-related flags and options for C compilers
Python
179
star
11

bta

Open source Active Directory security audit framework.
Python
131
star
12

android_emuroot

Android_Emuroot is a Python script that allows granting root privileges on the fly to shells running on Android virtual machines that use google-provided emulator images called Google API Playstore, to help reverse engineers to go deeper into their investigations.
Python
121
star
13

AutoResolv

Python
71
star
14

elfesteem

ELF/PE/Mach-O parsing library
Python
50
star
15

GEA1_break

Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)
C
47
star
16

airbus-seclab.github.io

Conferences, tools, papers, etc.
43
star
17

AFLplusplus-blogpost

Blogpost about optimizing binary-only fuzzing with AFL++
Shell
34
star
18

nbutools

Tools for offensive security of NetBackup infrastructures
Python
30
star
19

rebus

REbus facilitates the coupling of existing tools that perform specific tasks, where one's output will be used as the input of others.
Python
25
star
20

usbq_core

USB man in the middle linux kernel driver
C
19
star
21

AppVsWild

application process protection hypervisor virtualization encryption
9
star
22

gunpack

Generic unpacker (dynamic)
C
8
star
23

usbq_userland

User land program to be used with usbq_core
Python
8
star
24

ramooflax_scripts

ramooflax python scripts
Python
6
star
25

cpu_doc

Curated set of documents about CPU
3
star
26

c2newspeak

C
3
star
27

rebus_demo

REbus demo agents
Python
2
star
28

security-advisories

2
star
29

pwnvasive

semi-automatic discovery and lateralization
Python
1
star
30

pok

forked from pok-kernel/pok
C
1
star
31

afl

Airbus seclab fork of AFL
C
1
star