Skip to content
Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins
C Makefile C++
Branch: master
Clone or download
Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples
.gitignore
LICENSE
Makefile
README.md
debug_vmi.c
io_vmi.c
io_vmi.h
profile.c
profile.h
r2.mk
utils.c
utils.h
vmi.mk
x86-32.h
x86-64.h

README.md

r2vmi

Join the chat at https://gitter.im/r2vmi/Lobby

Radare2 VMI IO and debugger plugins.

These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.

Based on Libvmi to access the VM memory and listen on hardware events.

Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:

https://github.com/Wenzel/pyvmidbg

What works:

  • Intercept a process by name/PID (at CR3 load)
  • Read the registers
  • Single-step the process execution
  • Set breakpoints
    • software
    • hardware (based on memory access permissions, page must be mapped)
  • Load Kernel symbols

Demo

High quality link

The following demonstrate how r2vmi:

  • intercepts explorer.exe process
  • sets a software breakpoint on NtOpenKey
  • how the breakpoint is hit (ignoring hits by not targeted processes)
  • using radare2 to disassemble NtOpenFile's function
  • singlestep the execution
  • opening a Rekall shell usin the VMIAddressSpace to work on the VM's physical memory
  • running pslist plugin
  • running dlllist plugin and selecting a random DLL's base address
  • seeking there in radare2 and displaying the MZ header

R2VMI_DEMO

Requirements

Setup

An complete installation guide is available on the Wiki

Usage

You need a virtual machine configured on top of Xen, and a process name/pid to intercept

$ r2 -d vmi://<vm_name>:<name/pid>

Example:

$ r2 -d vmi://win7:firefox
You can’t perform that action at this time.