Skip to content

/ r2vmi

Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins
radare2 radare2-plugin vmi debugger xen
C Makefile C++
  1. C 97.8%
  2. Makefile 1.3%
  3. C++ 0.9%
Branch: master
Find file
Clone or download

Clone with HTTPS

Use Git or checkout with SVN using the web URL.

Open in Desktop Download ZIP

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching GitHub Desktop

If nothing happens, download GitHub Desktop and try again.

Launching Xcode

If nothing happens, download Xcode and try again.

Launching Visual Studio

If nothing happens, download the GitHub extension for Visual Studio and try again.

Cannot retrieve the latest commit at this time.
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples
.gitignore
LICENSE
Makefile
README.md
debug_vmi.c
io_vmi.c
io_vmi.h
profile.c
profile.h
r2.mk
utils.c
utils.h
vmi.mk
x86-32.h
x86-64.h

README.md

r2vmi

Join the chat at https://gitter.im/r2vmi/Lobby

Radare2 VMI IO and debugger plugins.

These plugins allow you to debug remote process running in a VM, from the hypervisor-level, leveraging Virtual Machine Introspection.

Based on Libvmi to access the VM memory and listen on hardware events.

Note: since hack.lu 2018, I shifted my work towards an improved version of this project which is more flexible and open to any reverse-engineering framework that can act as a GDB frontend:

https://github.com/Wenzel/pyvmidbg

What works:

  • Intercept a process by name/PID (at CR3 load)
  • Read the registers
  • Single-step the process execution
  • Set breakpoints
    • software
    • hardware (based on memory access permissions, page must be mapped)
  • Load Kernel symbols

Demo

High quality link

The following demonstrate how r2vmi:

  • intercepts explorer.exe process
  • sets a software breakpoint on NtOpenKey
  • how the breakpoint is hit (ignoring hits by not targeted processes)
  • using radare2 to disassemble NtOpenFile's function
  • singlestep the execution
  • opening a Rekall shell usin the VMIAddressSpace to work on the VM's physical memory
  • running pslist plugin
  • running dlllist plugin and selecting a random DLL's base address
  • seeking there in radare2 and displaying the MZ header

R2VMI_DEMO

Requirements

Setup

An complete installation guide is available on the Wiki

Usage

You need a virtual machine configured on top of Xen, and a process name/pid to intercept

$ r2 -d vmi://<vm_name>:<name/pid>

Example:

$ r2 -d vmi://win7:firefox
You can’t perform that action at this time.