search

tklengyel / guestrace

Unofficial mirror of
https://www.flyn.org/projects/guestrace/index.html
GNU Lesser General Public License v2.1
10 stars 4 forks source link

readme

We use the following convention here: DOM0> Prompt which indicates you should run the command on Dom0 ULINUX> Prompt which indicates you should run the command on DomU/Linux UWIN> Prompt which indicates you should run the command on DomU/Windows

For both Linux and Windows:

Install Rekall and its dependencies (this assumes a DNF-based
system; similar steps apply on distributions which use other
package managers):

    DOM0> sudo dnf install json-c json-c-devel virtualenv
    DOM0> virtualenv /tmp/MyEnv
    DOM0> source /tmp/MyEnv/bin/activate
    DOM0> pip install --upgrade setuptools pip wheel
    DOM0> pip install IPython
    DOM0> pip install rekall

For Linux DomU (monitoring target running Linux):

1. Download the Rekall source code to DomU using:

    ULINUX> git clone https://github.com/google/rekall.git

2. From the rekall/tools/linux directory of the Rekall source
tree run (this assumes a Red Hat-like placement of the kernel
source code):

    ULINUX> KHEADER=/usr/src/kernels/<version> make profile

3. Copy <version>.zip to Dom0.

4. Run:

    DOM0> rekall convert_profile <version>.zip <guest-name>.json

5. On Dom0, update /etc/libvmi.conf to include:

    <guest-name> {
        ostype         = "Linux";
        rekall_profile = "<path-to>/<guest-name>-rekall-profile.json";
    }

For Windows DomU (monitoring target running Windows):

1. First, you must find the GUID and PDB filename corresponding
to the image you plan to run. To find this:

    a. Run libvmi's dump-memory example, and save its output
    to a file named "memory-dump":

        DOM0> ./examples/vmi-dump-memory <guest-name> memory-dump

    b. Obtain the GUID and PDB filename corresponding to
    your memory dump:

        DOM0> ./tools/windows-offset-finder/getGUID memory-dump

    (See the libvmi README for this tools dependencies.)

2. Run Rekall to create the Rekall file needed by guestrace:

    DOM0> rekall fetch_pdb <PDB filename> <GUID>
    DOM0> rekall parse_pdb <PDB filename> > <guest-name>-rekall-profile.json

3. On Dom0, update /etc/libvmi.conf to include:

    <guest-name> {
        ostype         = "Windows";
        rekall_profile = "<path-to>/<guest-name>-rekall-profile.json";
    }

For both Linux and Windows, perform the following steps on Dom0:

1. Add

    GRUB_CMDLINE_XEN_DEFAULT="altp2m=1"

to /etc/default/grub, and add

    altp2mhvm = 1

to the configuration file which defines each guest.

2. Restart each Xen DomU guest.

3. Build guestrace and run "guestrace <guest name>" on the Xen
Dom0 guest.