VM/KVM/QEMU memory mounting #62
Comments
|
It's a very good suggestion :) An issue is that MemProcFS is currently Windows only and that's not likely to change, at least not in the near to medium future. QEMU while running on Windows too is more widely used on Linux. The solution for me would be to add the ability to connect between Linux and Windows over the network; and also add support for QEMU on Windows. I'm not sure I should do the QEMU support of the network interoperability between Windows/Linux first though. But this is definitely something that's on my roadmap. Would having QEMU support on Windows-only be interesting for starters? Or would it be better to do the network integration (which is a bit larger job) first? I'm currently working on a few other features that I would hope to release before looking more into this; but if it's very easy and if doing it on Windows only for starters this could happen quite soon (as in before the summer). Also, MemProcFS actually currently support accessing Hyper-V VM memory via the LiveCloudKd plugin; either locally or over the network via an agent running on a Hyper-V host. |
|
If you are talking about Windows host, then I'm not much interested but it would probably still be cool addition ;D |
|
Thanks. This would still be a very nice addition, but it would need to go hand-in-hand with better Linux support in general to make sense to add. I'll try to add it, but it may be some months away. |
|
I plan to release a Linux version of the MemProcFS in the not too distant future so I've looked into this as well. I may be too unfamiliar with qemu and I may just misunderstand things; but it seem to me that to use this API you would need to interface with the whole qemu (download and re-compile) and not just some library? I may very well be wrong about this though. If I would need to interface with the whole qemu this would be more than a small plugin. Are you aware of any examples around this that does not require me to rebuild and distribute the whole qemu project to make use of these APIs? Or any good examples at all? If you're good at programming I'd be super happy to accept a plugin around this if it's not too hard (require the whole qemu to compile) to make. I have a good "example" in my LeechCore-plugins project - https://github.com/ufrisk/LeechCore-plugins/blob/master/leechcore_device_rawtcp But it may make some sense to wait with looking into this until I've released the Linux functionality for the MemProcFS. |
|
It probably can be done by injecting into qemu process, headers and symbols should be there anyway. I could try to take look into it, but I do not promise it will happen soon or it would work ;D |
|
Thanks, Let's first await the MemProcFS Linux release; there may still be some bugs in there that I would need to fix to make it usable. It's rock solid for me now; but I have had some issues with deadlocks that I hope should be resolved by now. As you mention injectin is probably the way to go around this. Main issue for me is that I'm not very familiar with qemu and I'm bogged down with a lot of other things around my projects as well. It would likely take quite some time if it were to happen at all :\ If you would have some time to look into this it would be more than super awesome and I'd be super happy to accept a LeechCore plugin for it :) But it's not something I would expect; it would just a very big bonus if you were to find the time and get it working. If you have any questions about my plugin API or have the need for expansions/additions just let me know :) |
|
And now the Linux version of MemProcFS is published :) |
|
https://github.com/memflow/memflow-qemu-procfs |
|
Support for this (via microvmi) has now been merged. The binary packages for x64 Linux are updated with the required plugin - but you'd still need to install libmicrovmi as well. I hope this will work well for your use cases. If you should run into anything please let either me or @Wenzel know depending on where the issue lies. Since this enhancement suggestion is now fixed I'm closing this issue. If you find MemProcFS or libmicrovmi useful please consider sponsoring either MemProcFS or libmicrovmi here on Github. Thank you and best wishes with your memory introspection 💖 |
Hi!
I'm interested in seeing MemProcFS working on VM's memory.
It shouldnt be too hard to implement - there are "DMA" existing solutions for QEMU and even official API: https://qemu.readthedocs.io/en/latest/devel/memory.html
The text was updated successfully, but these errors were encountered: