Hypervisor-level debugger for radare2 based on Virtual Machine Introspection
Hi Wenzel, I had a quick question about r2vmi
I can't seem to get it to consistantly attach to the process. I've had luck with running the r2 -d vmi://win10 command right after I login to the vm to attach to explorer. I've had mixed luck getting it to attach to notepad exe by trying to start notepad and the r2 command at exactly the same time. sometimes it attaches no problem, but I can't seem to figure out what the trick is to get it to work every time
I got it to work several times yesterday, but now I can't seem to even get it to attach to explorer
cb_on_sstep out of the targeted page Listening on VMI events...0 events pending cb_on_continue_until_event Wrong RIP: 0xfffff8022f3af7e4 Listening on VMI events...0 events pending Listening on VMI events...0 events pending Listening on VMI events...0 events pending Listening on VMI events...0 events pending
Then it is 0 events pending forever
Running the r2 cmd then going to vm to open app doesn't seem fast enough. it doesn't wait long enough for me to open notepad etc
Hmmm now it just randomly attached to notepad just fine a whole 10 sec after I launched it. Can't seem to reproduce or get it to do it again now. I must be missing something simple...
I think it has to do with the CR3 checks, but glancing at the code it seems ok...
not sure if the symbols are loading properly when it does work. my rekall profile is fresh and up to date... i get this when trying to list symbols
Still lost as to how to get it to work consistently. it seems almost completely random when it does attach properly
Alex "The Sage"
Hola! Wonder how I came to be in this room? Never used gitter before. :)
@JordanBoulan Assuming ur using win10 as ur host?
Im Manish btw.
first of all @JordanBoulan i have to say that I never tested under Windows 10, only Windows XP and 7
there might be security measures in Windows 10 that is making it difficult to initialize Libvmi reliably
regarding the symbols, it's the same situation, there might have randomization in the kernel, so i would recommend to test on Windows 7 for a start
Hey guys, sorry about the delay. Alright Thanks! pyvmi looks cool. I was actually trying to get the built-in xen gdbserver to work with ida, but found ida refused to read memory from gdb and would only update registers. radare2 worked great which is what led me to your project. I am mainly working on win10 but I can test win7 too to make sure my issues aren't specific to windows 10. Currently, on win10 pyvmi is alot more consistent but I'm not getting actually getting attached properly. Same results for both notepad and explorer... It attaches at a really low (incorrect) address I think
I'll test on windows 7 and let you know when I get it installed
Thanks again! I really appreciate the response. I'm doing virtualization and introspection research for my graduate degree. Specifically integrity checking small regions of memory
For pyvmi does it support 64 bit yet? looks like it might be doing i386 specific stuff...
@JordanBoulan where do you see its i386 specific ?
i'm testing it to debug 64 bits ubuntu kernels
for the symbols, i had issue when i tried to load them for windows XP, that's why I'm focused on Linux first, it's easier to understand and GDB is made to parse ELF files, not PE