Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    JordanBoulan
    @JordanBoulan
    Hi Wenzel, I had a quick question about r2vmi
    I can't seem to get it to consistantly attach to the process. I've had luck with running the r2 -d vmi://win10 command right after I login to the vm to attach to explorer. I've had mixed luck getting it to attach to notepad exe by trying to start notepad and the r2 command at exactly the same time. sometimes it attaches no problem, but I can't seem to figure out what the trick is to get it to work every time
    I got it to work several times yesterday, but now I can't seem to even get it to attach to explorer
    I get:
    cb_on_sstep
    out of the targeted page
    Listening on VMI events...0 events pending
    cb_on_continue_until_event
    Wrong RIP: 0xfffff8022f3af7e4
    Listening on VMI events...0 events pending
    Listening on VMI events...0 events pending
    Listening on VMI events...0 events pending
    Listening on VMI events...0 events pending
    JordanBoulan
    @JordanBoulan
    Then it is 0 events pending forever
    JordanBoulan
    @JordanBoulan
    Running the r2 cmd then going to vm to open app doesn't seem fast enough. it doesn't wait long enough for me to open notepad etc
    JordanBoulan
    @JordanBoulan
    Hmmm now it just randomly attached to notepad just fine a whole 10 sec after I launched it. Can't seem to reproduce or get it to do it again now. I must be missing something simple...
    JordanBoulan
    @JordanBoulan
    I think it has to do with the CR3 checks, but glancing at the code it seems ok...
    JordanBoulan
    @JordanBoulan
    not sure if the symbols are loading properly when it does work. my rekall profile is fresh and up to date... i get this when trying to list symbols
    image.png
    Still lost as to how to get it to work consistently. it seems almost completely random when it does attach properly
    Alex "The Sage"
    @mbhatt1
    Hola! Wonder how I came to be in this room? Never used gitter before. :)
    @JordanBoulan Assuming ur using win10 as ur host?
    Im Manish btw.
    Mathieu Tarral
    @Wenzel
    Hi Jordan
    first of all @JordanBoulan i have to say that I never tested under Windows 10, only Windows XP and 7
    there might be security measures in Windows 10 that is making it difficult to initialize Libvmi reliably
    regarding the symbols, it's the same situation, there might have randomization in the kernel, so i would recommend to test on Windows 7 for a start
    second, i now shifted my work on pyvmidbg, which aims to be more reliable than r2vmi, and open to other frameworks than radare2:
    https://github.com/Wenzel/pyvmidbg
    i can help you with r2vmi setup though :)
    JordanBoulan
    @JordanBoulan
    Hey guys, sorry about the delay. Alright Thanks! pyvmi looks cool. I was actually trying to get the built-in xen gdbserver to work with ida, but found ida refused to read memory from gdb and would only update registers. radare2 worked great which is what led me to your project. I am mainly working on win10 but I can test win7 too to make sure my issues aren't specific to windows 10. Currently, on win10 pyvmi is alot more consistent but I'm not getting actually getting attached properly. Same results for both notepad and explorer... It attaches at a really low (incorrect) address I think
    image.png
    I
    I'll test on windows 7 and let you know when I get it installed
    JordanBoulan
    @JordanBoulan
    Thanks again! I really appreciate the response. I'm doing virtualization and introspection research for my graduate degree. Specifically integrity checking small regions of memory
    For pyvmi does it support 64 bit yet? looks like it might be doing i386 specific stuff...
    Mathieu Tarral
    @Wenzel
    @JordanBoulan where do you see its i386 specific ?
    i'm testing it to debug 64 bits ubuntu kernels
    for the symbols, i had issue when i tried to load them for windows XP, that's why I'm focused on Linux first, it's easier to understand and GDB is made to parse ELF files, not PE
    @JordanBoulan if you want a ready to use environment: https://github.com/Wenzel/vagrant-xen-pyvmidbg (pick fedora)