Demo of a PoC of hypervisor-level debugger, implemented in Radare2 on top of Libvmi and Xen 4.6, intercepting the Firefox process by its PID.
README
Radare 2 IO VMI plugin This plugins allow you to debug remote process running in a VM.
It uses Libvmi to read and write the process virtual address space and listen on hardware events like the CR3 register being written (switching process), or int3 interrupt being catched.
What works:
- Intercept a process by PID
- Read the registers
- Single-step the process execution
Requirements
- Xen 4.6
- libvmi
- radare2
- pkg-config
Setup
$ make $ make install Note: if pkgconfig fails, you need to:
$ export PKG_CONFIG_PATH=/usr/lib/pkgconfig
Usage
You need a virtual machine configured on top of Xen, and a process to intercept using its PID.
$ r2 vmi://<vm_name>:<pid>
Example:
$ r2 vmi://win7:5344
Share this recording
Link
Append ?t=30 to start the playback at 30s, ?t=3:20 to start the playback at 3m 20s.
Embed image link
Use snippets below to display a screenshot linking to this recording.
Useful in places where scripts are not allowed (e.g. in a project's README file).
HTML:
Markdown:
Embed the player
If you're embedding on your own page or on a site which permits script tags, you can use the full player widget:
Paste the above script tag where you want the player to be displayed on your page.
See embedding docs for additional options.
Download this recording
You can download this recording in asciicast v2 format, as a .cast file.
DownloadReplay in terminal
You can replay the downloaded recording in your terminal using the
asciinema play
command:
asciinema play 160533.castIf you don't have asciinema CLI installed then see installation instructions.
Use with stand-alone player on your website
Download asciinema player from
the releases page
(you only need .js
and .css
file), then use it like this:
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="asciinema-player.css" />
</head>
<body>
<div id="player"></div>
<script src="asciinema-player.min.js"></script>
<script>
AsciinemaPlayer.create(
'/assets/160533.cast',
document.getElementById('player'),
{ cols: 230, rows: 57 }
);
</script>
</body>
</html>See asciinema player quick-start guide for full usage instructions.
Generate GIF from this recording
While this site doesn't provide GIF conversion at the moment, you can still do it yourself with the help of asciinema GIF generator utility - agg.
Once you have it installed, generate a GIF with the following command:
agg https://asciinema.org/a/160533 demo.gifOr, if you already downloaded the recording file:
agg demo.cast demo.gifCheck agg --help for all available options. You can change font
family and size, select color theme, adjust speed and more.
See agg manual for full usage instructions.