DECAF icon indicating copy to clipboard operation
DECAF copied to clipboard

Published 20 hours ago verified publisher icon decaf-project

Is there any way to implement VMI without using procinfo_generic?

Open RLee063 opened this issue 1 year ago • 2 comments

In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it.

So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work?

NOTE: This is not a request for DECAF enhancement, just a free technical discussion.

RLee063 avatar Sep 11 '23 04:09 RLee063

Yeah, it is actually possible. Check out our recent paper

https://www.ndss-symposium.org/ndss-paper/auto-draft-193/

Heng

On Sun, Sep 10, 2023, 9:51 PM RLee063 @.***> wrote:

In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it.

So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work?

NOTE: This is not a request for DECAF enhancement, just a free technical discussion.

— Reply to this email directly, view it on GitHub https://github.com/decaf-project/DECAF/issues/102, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWJ2RSRDNAOGTZZUTNAPL3XZ2KGHANCNFSM6AAAAAA4SW4RDU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

hengyin avatar Sep 12 '23 04:09 hengyin

Yeah, it is actually possible. Check out our recent paper https://www.ndss-symposium.org/ndss-paper/auto-draft-193/ Heng On Sun, Sep 10, 2023, 9:51 PM RLee063 @.> wrote: In order to implement Linux VMI, DECAF needs to compile procinfo.ko and run it in the target kernel. But in my case, I have a restricted virtual machine and cannot get the kernel's source code and it is not easy to insert modules on it. So I'm curious, Is there a theoretically feasible way to get these procinfo(address and structure offset, etc.) directly from the QEMU level without extra work? NOTE: This is not a request for DECAF enhancement, just a free technical discussion. — Reply to this email directly, view it on GitHub <#102>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAWJ2RSRDNAOGTZZUTNAPL3XZ2KGHANCNFSM6AAAAAA4SW4RDU . You are receiving this because you are subscribed to this thread.Message ID: @.>

Many thanks, I'll take a look at this.

BTW, are there any other tools like DECAF that can provide VMI capability and are compatible with higher versions of QEMU?

RLee063 avatar Sep 13 '23 07:09 RLee063