Unofficial mirror of
License
tklengyel/guestrace
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
master
Could not load branches
Nothing to show
Could not load tags
Nothing to show
{{ refName }}
default
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code
-
Clone
Use Git or checkout with SVN using the web URL.
Work fast with our official CLI. Learn more about the CLI.
- Open with GitHub Desktop
- Download ZIP
Sign In Required
Please sign in to use Codespaces.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching GitHub Desktop
If nothing happens, download GitHub Desktop and try again.
Launching Xcode
If nothing happens, download Xcode and try again.
Launching Visual Studio Code
Your codespace will open once ready.
There was a problem preparing your codespace, please try again.
Latest commit
Git stats
Files
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
We use the following convention here: DOM0> Prompt which indicates you should run the command on Dom0 ULINUX> Prompt which indicates you should run the command on DomU/Linux UWIN> Prompt which indicates you should run the command on DomU/Windows For both Linux and Windows: Install Rekall and its dependencies (this assumes a DNF-based system; similar steps apply on distributions which use other package managers): DOM0> sudo dnf install json-c json-c-devel virtualenv DOM0> virtualenv /tmp/MyEnv DOM0> source /tmp/MyEnv/bin/activate DOM0> pip install --upgrade setuptools pip wheel DOM0> pip install IPython DOM0> pip install rekall For Linux DomU (monitoring target running Linux): 1. Download the Rekall source code to DomU using: ULINUX> git clone https://github.com/google/rekall.git 2. From the rekall/tools/linux directory of the Rekall source tree run (this assumes a Red Hat-like placement of the kernel source code): ULINUX> KHEADER=/usr/src/kernels/<version> make profile 3. Copy <version>.zip to Dom0. 4. Run: DOM0> rekall convert_profile <version>.zip <guest-name>.json 5. On Dom0, update /etc/libvmi.conf to include: <guest-name> { ostype = "Linux"; rekall_profile = "<path-to>/<guest-name>-rekall-profile.json"; } For Windows DomU (monitoring target running Windows): 1. First, you must find the GUID and PDB filename corresponding to the image you plan to run. To find this: a. Run libvmi's dump-memory example, and save its output to a file named "memory-dump": DOM0> ./examples/vmi-dump-memory <guest-name> memory-dump b. Obtain the GUID and PDB filename corresponding to your memory dump: DOM0> ./tools/windows-offset-finder/getGUID memory-dump (See the libvmi README for this tools dependencies.) 2. Run Rekall to create the Rekall file needed by guestrace: DOM0> rekall fetch_pdb <PDB filename> <GUID> DOM0> rekall parse_pdb <PDB filename> > <guest-name>-rekall-profile.json 3. On Dom0, update /etc/libvmi.conf to include: <guest-name> { ostype = "Windows"; rekall_profile = "<path-to>/<guest-name>-rekall-profile.json"; } For both Linux and Windows, perform the following steps on Dom0: 1. Add GRUB_CMDLINE_XEN_DEFAULT="altp2m=1" to /etc/default/grub, and add altp2mhvm = 1 to the configuration file which defines each guest. 2. Restart each Xen DomU guest. 3. Build guestrace and run "guestrace <guest name>" on the Xen Dom0 guest.
About
Unofficial mirror of
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published