Wenzel/ r2vmi
Need help with r2vmi?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.
About the developer
129 Stars 
22 Forks 
GNU Affero General Public License v3.0 
71 Commits 
8 Opened issues 
Description
Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins
Services available
Contributors list
Readme
r2vmi
Radare2 VMI IO and debugger plugins.
These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.
Based on
Libvmito access the VM memory and listen on hardware events.
Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:
https://github.com/Wenzel/pyvmidbg
What works: - Intercept a process by name/PID (at
CR3load) - Read the registers - Single-step the process execution - Set breakpoints - software - hardware (based on memory access permissions, page must be mapped) - Load Kernel symbols
Demo
The following demonstrate how
r2vmi: - intercepts
explorer.exeprocess - sets a
softwarebreakpoint on
NtOpenKey- how the breakpoint is hit (ignoring hits by not targeted processes) - using
radare2to disassemble
NtOpenFile's function - singlestep the execution - opening a
Rekallshell usin the
VMIAddressSpaceto work on the VM's physical memory - running
pslistplugin - running
dlllistplugin and selecting a random
DLL's base address - seeking there in
radare2and displaying the
MZheader
Requirements
Setup
An complete installation guide is available on the Wiki
Usage
You need a virtual machine configured on top of
Xen, and a process name/pid to intercept
$ r2 -d vmi://:
Example:
$ r2 -d vmi://win7:firefox