Radare2 VMI IO and debugger plugins.
These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.
Based on Libvmi
to access the VM memory and listen on hardware events.
Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:
https://github.com/Wenzel/pyvmidbg
What works:
- Intercept a process by name/PID (at
CR3
load) - Read the registers
- Single-step the process execution
- Set breakpoints
- software
- hardware (based on memory access permissions, page must be mapped)
- Load Kernel symbols
The following demonstrate how r2vmi
:
- intercepts
explorer.exe
process - sets a
software
breakpoint onNtOpenKey
- how the breakpoint is hit (ignoring hits by not targeted processes)
- using
radare2
to disassembleNtOpenFile
's function - singlestep the execution
- opening a
Rekall
shell usin theVMIAddressSpace
to work on the VM's physical memory - running
pslist
plugin - running
dlllist
plugin and selecting a randomDLL
's base address - seeking there in
radare2
and displaying theMZ
header
An complete installation guide is available on the Wiki
You need a virtual machine configured on top of Xen
, and a process name/pid to intercept
$ r2 -d vmi://<vm_name>:<name/pid>
Example:
$ r2 -d vmi://win7:firefox