Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins
Radare2 VMI IO and debugger plugins.
These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.
Based on
Libvmito access the VM memory and listen on hardware events.
Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:
https://github.com/Wenzel/pyvmidbg
What works: - Intercept a process by name/PID (at
CR3load) - Read the registers - Single-step the process execution - Set breakpoints - software - hardware (based on memory access permissions, page must be mapped) - Load Kernel symbols
The following demonstrate how
r2vmi: - intercepts
explorer.exeprocess - sets a
softwarebreakpoint on
NtOpenKey- how the breakpoint is hit (ignoring hits by not targeted processes) - using
radare2to disassemble
NtOpenFile's function - singlestep the execution - opening a
Rekallshell usin the
VMIAddressSpaceto work on the VM's physical memory - running
pslistplugin - running
dlllistplugin and selecting a random
DLL's base address - seeking there in
radare2and displaying the
MZheader
An complete installation guide is available on the Wiki
You need a virtual machine configured on top of
Xen, and a process name/pid to intercept
$ r2 -d vmi://:
Example:
$ r2 -d vmi://win7:firefox