Warning
This project was ambitious, maybe too much considering the current state of virtual machine introspection. Originally planned to build on Xen, later on QEMU/KVM for a number of reasons. There's still a consequent open problems related to hypervisors APIs, semantic gap and others.
For these reasons I'm archiving this project as of 03/06/2026, and starting another related project, still ambitious but definitely more grounded and more useful.
Xenith is a QEMU/KVM-based hypervisor toolkit for security research and reverse engineering. It provides a transparent virtualization environment — guest VMs are unaware they are virtualized — with advanced debugging capabilities, virtual machine introspection, and a Python scripting API.
Built with stealth and accessibility in mind, Xenith runs on any Linux machine with KVM, including nested VM environments. Any GDB-compatible debugger (GDB, LLDB, WinDbg, IDA Pro) connects directly to a running guest without leaving any trace inside it.
- Stealth environment: Xenith generates a coherent fake hardware identity for each VM; CPUID masking, SMBIOS/ACPI spoofing, timing normalization, PCI device ID masking. Guest software cannot distinguish the VM from real hardware. Designed for analyzing malware, anti-cheat systems, obfuscated firmware, and evasive proprietary software.
- Virtual Machine Introspection (VMI): Read and write guest physical memory and CPU registers from the host with no agent inside the guest. OS-aware parsing resolves raw addresses into processes, modules, and symbols for both Windows and Linux guests.
- Agnostic debugging: Xenith exposes a GDB Remote Serial Protocol (RSP) server backed by VMI. Connect with GDB, LLDB, IDA Pro, pwndbg, Binary Ninja, or WinDbg (via EXDI). The guest has no knowledge of the debugger.
- Python scripting API: An interactive Python REPL and a full
xenithmodule let you automate analysis workflows; set breakpoints, scan memory, enumerate processes, and script multi-step analysis tasks. - Snapshot and restore: Capture and restore VM state at any point via QEMU's native snapshot mechanism. Ideal for repeatable analysis of malware samples or fuzzing workflows.
- Nested VM support: Works inside a VM, making it easy to test before installing on bare metal. Full stealth is available on bare metal; nested environments still defeat most common detection techniques.
- Open-source collaboration: Xenith is open-source under GPL-3.0. Contributions are welcome.
xenith-vm VM lifecycle management (QEMU/KVM, QMP protocol)
xenith-stealth Anti-detection layer (CPUID, SMBIOS, ACPI, timing, PCI)
xenith-vmi Physical memory introspection (memflow-qemu / memflow-kvm)
xenith-os OS-aware parsing (Windows EPROCESS, Linux task_struct)
xenith-debugger GDB RSP server backed by VMI (guest-transparent debugging)
xenith-scripting Python REPL and API (pyo3)
xenith-redpill VM detection test suite (validates stealth layer)
xenith-cli Command-line interface
xenith-gui Graphical interface (planned)
For more details, see the architecture documentation.
See our tutorials for detailed instructions on building and running Xenith.
You can view the full online documentation here or build it locally using
hugo. See xenith-website for more information.
Join our community on Discord to discuss, ask questions, and share your experiences with Xenith.
<iframe src="https://discord.com/widget?id=1333254838481584129&theme=dark" width="350" height="500" allowtransparency="true" frameborder="0" sandbox="allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts"></iframe>See documentation credits.
This project is licensed under the GPL-3.0 License - see the LICENSE file for details.