Question about setup test vm.

[bigbigbanana]

Sorry about hijack other people's issue,i just want to know can i use virt-manager to create win7 test vm or use qemu-img and virt-install orders?

[Wenzel]

The win7 VM is created using a packer template. Then, with the import_libvirt.py script, you can view it in virt-manager.

Read closely the README.

[bigbigbanana]

When i run ./main.py --nobackend win7,it reports errors,how can i fix it?

[bigbigbanana]

And after i install libvmi,then i run ./main.py --nobackend win7,it still exits errors.

[Wenzel]

Read the error messages. too many aruments to function X There is an API mismatch between your installed libvmi version and the one i'm using in Nitro.

Have you installed the nitro branch version of libvmi ? or just pulled master ?

[bigbigbanana]

For the question exists in the first picture i uploaded,did it means i should install libvmi and then i can run ./main.py --nobackend win7?

[Wenzel]

the --nobackend option was meant to just listen to raw hardware events. Libvmi is only required in the backend, to rebuild the context of the virtual machine.

In the first picture you uploaded, the error state that CFFI tried to compile the libvmi wrapper, but you were lacking a compiler, gcc for example.

[bigbigbanana]

But i have installed gcc,am i lack of other packages?

[Wenzel]

@bigbigbanana please to try google and search by yourself. This was really easy to figure out. First link on google. https://stackoverflow.com/questions/26053982/error-setup-script-exited-with-error-command-x86-64-linux-gnu-gcc-failed-wit

[bigbigbanana]

I have solved the above questions by installing libvmi used in nitro,thank you for your suggestions!But i have a question,the rax register stores syscall number,but in th picture,i found 0x1002,0x10162 and so on,these syscall numbers should not be so big,are these results wrong?

[Wenzel]

Windows has 2 main SSDT : the NT and the win32k syscall tables. To differentiate between them, Windows sets a prefix which will should which SSDT to use for a given syscall number. Take a look at Windows Internals.

[bigbigbanana]

When i run ./main.py win7,there exists some errors,what's wrong with it?

[Wenzel]

Install docopt from your package manager. It's available in your distro.

Also nitro is python3 but you are using pip2 not pip3 here

[bigbigbanana]

But i indeed use python3 to install cffi,docopt,ioctl-opt and in nitro repo,i use python3 ./setup.py install order to install the required installation packages,but there still exists errors.

[Wenzel]

You need docopt for python2 also. Nitro is calling a symbols.py python2 with subprocess which imports docopt.

[bigbigbanana]

I used apt-get install python-docopt and after that i run ./main.py win7,it shows no module named rekall but i have installed rekall.

[Wenzel]

which rekall ? How did you install it ?

[bigbigbanana]

I use sudo pip3 install --upgrade setuptools pip wheel and sudo pip3 install rekall orders to install rekall.

[Wenzel]

You have installed the python3 release of Rekall. However our symbols.py is Python2, and therefore searches for Rekall modules in the Python2 search path. You can use the same commands you used to install Rekall, but with pip2 instead, it will work.

[Wenzel]

Reason we have not switched to Rekall python3 is that the latest official release contains some bugs that are only fixed in the upstream git repository. We are waiting for the next release of Rekall.

[bigbigbanana]

@Wenzel Hello,as the output of captured linux vm's syscalls is seperated,if i want to get the singe process's full syscalls like the picture below shows,how can i achieve this?Could you give me some advices?

[Wenzel]

Just post-process the JSON with Python.

[bigbigbanana]

Hello,i want to get sin_port and ip_addr of connect syscall,i use libvmi.read32(the base addr of struct sockaddr_in+offset of sin_port,pid),but i got wrong results.Is this method wrong?