Radare2 VMI IO and debugger plugins.
These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.
Based on Libvmi
to access the VM memory and listen on hardware events.
Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:
https://github.com/Wenzel/pyvmidbg
What works:
CR3
load)The following demonstrate how r2vmi
:
explorer.exe
processsoftware
breakpoint on NtOpenKey
radare2
to disassemble NtOpenFile
's functionRekall
shell usin the VMIAddressSpace
to work on the VM's physical memorypslist
plugindlllist
plugin and selecting a random DLL
's base addressradare2
and displaying the MZ
headerAn complete installation guide is available on the Wiki
You need a virtual machine configured on top of Xen
, and a process name/pid to intercept
$ r2 -d vmi://<vm_name>:<name/pid>
Example:
$ r2 -d vmi://win7:firefox