r2vmi

by Wenzel

Wenzel / r2vmi

Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins

129 Stars 22 Forks Last release: Not found GNU Affero General Public License v3.0 71 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

r2vmi

Join the chat at https://gitter.im/r2vmi/Lobby

Radare2 VMI IO and debugger plugins.

These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.

Based on

Libvmi
to access the VM memory and listen on hardware events.

Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:

https://github.com/Wenzel/pyvmidbg

What works: - Intercept a process by name/PID (at

CR3
load) - Read the registers - Single-step the process execution - Set breakpoints - software - hardware (based on memory access permissions, page must be mapped) - Load Kernel symbols

Demo

High quality link

The following demonstrate how

r2vmi
: - intercepts
explorer.exe
process - sets a
software
breakpoint on
NtOpenKey
- how the breakpoint is hit (ignoring hits by not targeted processes) - using
radare2
to disassemble
NtOpenFile
's function - singlestep the execution - opening a
Rekall
shell usin the
VMIAddressSpace
to work on the VM's physical memory - running
pslist
plugin - running
dlllist
plugin and selecting a random
DLL
's base address - seeking there in
radare2
and displaying the
MZ
header

R2VMI_DEMO

Requirements

Setup

An complete installation guide is available on the Wiki

Usage

You need a virtual machine configured on top of

Xen
, and a process name/pid to intercept
$ r2 -d vmi://:

Example:

$ r2 -d vmi://win7:firefox

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.