r2vmi icon indicating copy to clipboard operation
r2vmi copied to clipboard

verified publisher icon Wenzel

Metadata

Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins

r2vmi

Join the chat at https://gitter.im/r2vmi/Lobby

Radare2 VMI IO and debugger plugins.

These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.

Based on Libvmi to access the VM memory and listen on hardware events.

Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:

https://github.com/Wenzel/pyvmidbg

What works:

  • Intercept a process by name/PID (at CR3 load)
  • Read the registers
  • Single-step the process execution
  • Set breakpoints
    • software
    • hardware (based on memory access permissions, page must be mapped)
  • Load Kernel symbols

Demo

High quality link

The following demonstrate how r2vmi:

  • intercepts explorer.exe process
  • sets a software breakpoint on NtOpenKey
  • how the breakpoint is hit (ignoring hits by not targeted processes)
  • using radare2 to disassemble NtOpenFile's function
  • singlestep the execution
  • opening a Rekall shell usin the VMIAddressSpace to work on the VM's physical memory
  • running pslist plugin
  • running dlllist plugin and selecting a random DLL's base address
  • seeking there in radare2 and displaying the MZ header

R2VMI_DEMO

Requirements

Setup

An complete installation guide is available on the Wiki

Usage

You need a virtual machine configured on top of Xen, and a process name/pid to intercept

$ r2 -d vmi://<vm_name>:<name/pid>

Example:

$ r2 -d vmi://win7:firefox

Metadata

131
Stars
23
Forks
Watchers

Owner

verified publisher icon Wenzel

Metadata

Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins

Back