r2vmi icon indicating copy to clipboard operation
r2vmi copied to clipboard
verified publisher icon Wenzel

Build the introspection layer

Open Wenzel opened this issue 7 years ago • 0 comments

At the moment we rely on parsing LibVMI's JSON rekall profile and insert the entries into radare's flagspace.

This will only bring us kernel symbols, and it needs Rekall in the first place to generate this profile.

At r2con 2018, i learned that i could use the idpd command to download the appropriate PDB's for my kernel.

TODO:

  • [ ] Find out how to create a new IO inside the physical memory IO, that contains only the kernel
  • [ ] Download the PDB and load them using idpd and idp commands
  • [ ] Find out if the types and kernel structures have been extracted and inserted into radare2, and how to use them.

Wenzel avatar Sep 11 '18 17:09 Wenzel