This tool uses Virtual Machine Introspection to detect rootkits, trace syscall/APIs, and control VMs' code path to prevent it from being compromised by malware.
The following software are required:
Xen: the newer version of Xen hypervisor is recommanded (e.g., Xen-4.7)
Libvmi: this is a C library for virtual machine introspection.
For hardware, this tool uses hardware virtualization extensions found in Intel CPUs. So we need an Intel CPU with virtualization support (VT-x) and with Extended Page Tables (EPT).
We test the codes on Linux 2.6, 64-bit versions.
To compile the source code, just type "make" at the root directory. It will generate a vmi binary.
To run the program, use the following command: ./vmi -v [vm-name] -m [mode]
The vm-name is the name of the introspected VM, displayed by the hypervisor (e.g., xl list)
We support the following mode:
This folder provides a set of tools to find the offsets of the linux kernel structure. Copy this folder into the guest OS, compile and insert the kernel modules into the guest kernel. You will get the offsets from dmesg. Then you can feed the offsets into the libvmi.conf, or into the source code.
This folder provides several testing programs: