GNU/Linux ◆ xterm-256color ◆ zsh 1836 views

Demo of a PoC of hypervisor-level debugger, implemented in Radare2 on top of Libvmi and Xen 4.6, intercepting the Firefox process by its PID.

README

Radare 2 IO VMI plugin This plugins allow you to debug remote process running in a VM.

It uses Libvmi to read and write the process virtual address space and listen on hardware events like the CR3 register being written (switching process), or int3 interrupt being catched.

What works:

  • Intercept a process by PID
  • Read the registers
  • Single-step the process execution

Requirements

  • Xen 4.6
  • libvmi
  • radare2
  • pkg-config

Setup

$ make $ make install Note: if pkgconfig fails, you need to:

$ export PKG_CONFIG_PATH=/usr/lib/pkgconfig

Usage

You need a virtual machine configured on top of Xen, and a process to intercept using its PID.

$ r2 vmi://<vm_name>:<pid>

Example:

$ r2 vmi://win7:5344

More by wenzel

checksec.py demo 01:13

by wenzel

See all