r2vmi

Radare2 VMI IO and debugger plugins.

These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.

Based on Libvmi to access the VM memory and listen on hardware events.

Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:

https://github.com/Wenzel/pyvmidbg

What works:

• Intercept a process by name/PID (at CR3 load)
• Read the registers
• Single-step the process execution
• Set breakpoints
  • software
  • hardware (based on memory access permissions, page must be mapped)
• Load Kernel symbols

Demo

High quality link

The following demonstrate how r2vmi:

• intercepts explorer.exe process
• sets a software breakpoint on NtOpenKey
• how the breakpoint is hit (ignoring hits by not targeted processes)
• using radare2 to disassemble NtOpenFile's function
• singlestep the execution
• opening a Rekall shell usin the VMIAddressSpace to work on the VM's physical memory
• running pslist plugin
• running dlllist plugin and selecting a random DLL's base address
• seeking there in radare2 and displaying the MZ header

Requirements

• Xen 4.6
• pkg-config
• libvmi
• radare2

Setup

An complete installation guide is available on the Wiki

Usage

You need a virtual machine configured on top of Xen, and a process name/pid to intercept

$ r2 -d vmi://<vm_name>:<name/pid>

Example:

$ r2 -d vmi://win7:firefox