Debugger doesn't work in KVM virtual machines. #30
Comments
|
Could you clarify? All items referenced are marked as closed. We have this deployed in KVM and would love to understand which portion is failing. |
|
I recently heard that someone had successfully tested it on QEMU and it worked but a contributor (enzo) had problems on his KVM setup which was described at the end of issue #13 when he was testing the Ursnif package. But if 'Extraction' jobs work (i.e. produce payloads) then it should be working as this package uses the debugger. If you find this works then I can close the issue - I'll check with enzo too. |
|
I can confirm that I have unpredictable behavior when running QEMU v 1.5.x with Centos 7 with the included backports. Upgrading to 2.10 fixed all the errors and unpredictable crashes for me, however it's possible that v2.0.0 might fix it as well. I've included additional anti-antivm hardening scripts based upon @doomedraven original work. Certainly relates to missing backports from the 2.x branch, leaving the 1.x QEMU branch crippled. |
|
My setup is Ubuntu 16.04, QEMU v 2.6.1 What "included backports" are you referencing? My version of QEMU appears to be newer than what you are running. What do the anti-antivm hardening scripts accomplish? Thanks. |
|
backports from the 2.0 branch into the 1.5 branch for the Centos/RHEL
builds.
Read source please.
…On Fri, Jun 29, 2018 at 10:46 AM, enzo ***@***.***> wrote:
My setup is Ubuntu 16.04, QEMU v 2.6.1
What "included backports" are you referencing? My version of QEMU appears
to be newer than what you are running. What do the anti-antivm hardening
scripts accomplish?
Thanks.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#30 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAhV8xSuqH3kTuaGM-ePLl4z0GCMujRUks5uBkvLgaJpZM4ScQ9H>
.
|
|
Sorry, I rushed that response a little quick. It looks like i see two
things.
1. My scripts are for Centos/RHEL and not Ubuntu/Debian
2. My setup is using the KVM portion of KVM/QEMU and not using QEMU.
Specifically KVM v 2.10 works and latest is 2.12.
Try using kvm over qemu if that's an option for you.
Tim
…On Fri, Jun 29, 2018 at 10:58 AM, Tim S. ***@***.***> wrote:
backports from the 2.0 branch into the 1.5 branch for the Centos/RHEL
builds.
Read source please.
On Fri, Jun 29, 2018 at 10:46 AM, enzo ***@***.***> wrote:
> My setup is Ubuntu 16.04, QEMU v 2.6.1
>
> What "included backports" are you referencing? My version of QEMU appears
> to be newer than what you are running. What do the anti-antivm hardening
> scripts accomplish?
>
> Thanks.
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#30 (comment)>, or mute
> the thread
> <https://github.com/notifications/unsubscribe-auth/AAhV8xSuqH3kTuaGM-ePLl4z0GCMujRUks5uBkvLgaJpZM4ScQ9H>
> .
>
|
|
this week it also will be for debian based ;) kvm using qemu in background, qemu uses kvm acceleration basically |
|
Am I right in thinking this can be closed now? Has it been show that the debugger can indeed work with KVM? Is the latest generic version working, or does it need special patches? |
|
I never was able to get this to work with Ubuntu KVM. I've since abandoned that server instance for ESXi based VMs. |
|
I am now thinking KVM/QEMU might be the way forward, @doomedraven is using this and I think can achieve far better stealth against anti-vm than VMware ever will. |
|
I am going to add a couple of bare metal systems to my sandbox network. I am using hardware firewalls and dedicated Tor nodes that fail safe. Couldn't make this work with KVM and rooter. I may look into adding an Ubuntu KVM running on the ESXi. No idea if that's even viable. |
|
|
|
I too have been trying to get cape running on bare metal - I have been trying to set up FOG to do the remote re-imaging of the target hosts but ended up getting bogged down in PXE boot problems... How are you planning to tackle re-imaging? |
|
Just the debugger. Rooter worked fine otherwise. |
|
I was looking at FOG as well. |
|
I use this as my default as well and don’t seem to be hitting issues...
As a workflow it appears to function as expected.
I like it for better anti-anti-vm but not yet for performance. I’m having some big disappointments. Currently working through that.
On Sep 17, 2018, at 5:35 AM, enzo <notifications@github.com> wrote:
I never was able to get this to work with Ubuntu KVM. I've since abandoned that server instance for ESXi based VMs.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
|
|
Yes, of course. Once I’ve flushed out what’s fact vs configuration issue vs resource over allocation vs fiction.
Out of curiosity, on what average does a typical scan take, three measurements, for analysis, for processing and for end to end workflow of say X pending samples to status reported.
Also hardware specs.
Maybe this is normal and I’m expecting faster?
Tim
On Sep 17, 2018, at 8:41 AM, doomedraven <notifications@github.com> wrote:
I’m having some big disappointments. interesting can you share it with us?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Thats maybe can be hardware issue, on my side im using it on 5 servers and it just flying |
|
To follow up on this, my issue with performance with kvm/kvm remote is that I had over allocated resources to my target VMs. I'm currently experiencing a seamless analysis experience on CentOS 7 with KVM Remote. I feel like this is ready to be closed, however I obviously need more user buyoff since I'm the only one reporting positive results. |
|
im using kvm but not remote and it works just fine <3 |
|
Sounds like it works for everyone! Happy days. |
It's been observed that CAPE's debugger does not work in KVM VMs - this is to do with the fact that KVM doesn't allow for use of the debug registers by the guest as discussed here:
https://patchwork.kernel.org/patch/4717311/
https://patchwork.kernel.org/patch/8436261/
https://bugzilla.redhat.com/show_bug.cgi?id=1068627
This means that several packages, most notably including the 'Extraction' behavioural package, will not work properly on these systems due to their dependence on the debugger.
If anyone knows of a workaround to allow use of debug registers within guest VMs on KVM, please let me know.
The text was updated successfully, but these errors were encountered: