introvirt / introvirt Goto Github PK

IntroVirt is an guest introspection library for KVM

License: Apache License 2.0

CMake 0.37% Shell 0.06% C++ 90.60% Hack 6.01% Python 1.46% Smarty 1.50%

introvirt's Introduction

Description

IntroVirt, short for introspective virtualization, is a customized Hypervisor and library that provides a robust virtual machine introspection (VMI) application programming interface (API). VMI is the process of looking at the memory contents of a virtual machine during runtime. By applying knowledge of the guest operating system, introspection can be used for a variety of applications, including reverse engineering, debugging software, and securing guest VMs by limiting access to files or limiting an executing application’s functionality.

IntroVirt consists of two components: a patched version of the KVM Hypervisor, and the IntroVirt userland library.

Quick start

First, we need to get on the same kernel version supported by kvm-introvirt, which is currently Ubuntu Focal's 5.4.0-x:

$ uname -r
5.4.0-109-generic

On Ubuntu 20.04 (Focal), we can revert to the Linux kernel version 5.4.0-x by disabling HWE. The latest security patches are still provided by Canonical. To check if HWE is enabled, we can run hwe-support-status (no output means disabled, otherwise HWE is enabled).

To install on Ubuntu focal from the latest Github release.

mkdir introvirt_pkgs && cd introvirt_pkgs
wget https://github.com/IntroVirt/kvm-introvirt/releases/latest/download/kvm-introvirt.zip
wget https://github.com/IntroVirt/libmspdb/releases/latest/download/libmspdb.zip
wget https://github.com/IntroVirt/IntroVirt/releases/latest/download/introvirt.zip
unzip *.zip
sudo apt install *.deb

We will need to be booted into the correct kernel, based on the latest version of kvm-introvirt. If properly configured, running sudo ivversion will return a supported hypervisor.

Interested In Working For AIS?

Check out our Can You Hack It?® challenge and test your skills! Submit your score to show us what you’ve got. We have offices across the country and offer competitive pay and outstanding benefits. Join a team that is not only committed to the future of cyberspace, but to our employee’s success as well.

Building on Ubuntu Linux

Install build dependencies:

If using the launchpad PPA, libmspdb-dev can be installed as a package:

sudo apt-get install cmake libcurl4-openssl-dev libboost-dev libboost-program-options-dev libboost-stacktrace-dev liblog4cxx-dev libmspdb-dev python3-jinja2 python3 doxygen clang-format git

Otherwise, build and install libmspdb

sudo apt-get -y cmake libcurl4-openssl-dev libboost-dev git
git clone https://github.com/IntroVirt/libmspdb.git
cd libmspdb/build/
cmake ..
make
sudo make install

Note: You will also have to build and install kvm-introvirt if not using the PPA.

Build and install IntroVirt:

cd build
cmake ..
make
sudo make install

Building a source package for Launchpad

First you'll need to copy the distro specific files into place:

cd debian/
cp control.focal control
cp changelog.focal changelog
dch -i # Bump the package version
cp changelog changelog.focal
cd ..

Next, build the source package:

debuild -S -sa

Finally, upload to launchpad

dput ppa:<ppa name> introvirt_<version>_source.changes

Usage Instructions

The included IntroVirt tools have their own usage instructions. See the tools/ folder.

You can try system call monitoring with sudo ivsyscallmon -D <domain>. See sudo ivsyscallmon --help for more information.

Resources

IntroVirt provides some useful resources to learn how to use it including:

Documentation: TBD
Examples: TBD
Unit Tests: TBD

If you have any questions, bugs, or feature requests, please feel free to ask on any of the following:

Chat: TBD
Issue Tracker: https://github.com/IntroVirt/IntroVirt/issues

If you would like to help:

Pull Requests: https://github.com/IntroVirt/IntroVirt/pulls
Contributing Guidelines: https://github.com/IntroVirt/IntroVirt/blob/master/contributing.md

License

IntroVirt is licensed under the Apache v2.0 License.

If you’re interested in IntroVirt, you might also be interested in the following projects:

LibVMI:
https://github.com/libvmi/libvmi

Bitdefender:
https://github.com/bitdefender

HVMI:
https://github.com/hvmi/hvmi

libmicrovmi:
https://github.com/Wenzel/libmicrovmi

introvirt's People

Contributors

Stargazers

Watchers

Forkers

rianquinn chp-io srpape sradigan bocajspear1 lethalservant gmh5225 fengjixuchui kaganisildak guardian-angel-intelligence-agency xmduke vix597

introvirt's Issues

Setup instructions

Good evening,

I'm interested in running this tool in one of our KVM servers to test the System Call extraction features, but I'm not sure how to properly set it up or if there are any dependencies, etc.

Would it be possible to have a quick setup guide made available?

Thanks in advance!

VirtualAddressNotPresentException thrown while searching for NT kernel

Summary

When IntroVirt attempts to detect the OS for the specific domain (kvm guest), the VirtualAddressNotPresent Exception is thrown while searching in memory for the start of the Windows NT Kernel. This causes the search to end early and the OS detection to fail for the domain.

This bug was found while adding support for AMD in the kvm-introvirt repo. Further testing needs to be done on Intel hardware to rule out that this bug is specific to CPU architecture.

Component(s)

NtKernelImpl

NtKernelmpl search_ptr

What is the current bug behavior?

The thrown exception cause the search for the kernel to stop early and thus the OS detection to fail.

What is the expected behavior?

The exception should be handle so that the memory region were the kernel is load can be fully search, leading to OS dectection.

System specs

CPU: AMD
KVM Host: Linux introvirt 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
KVM Guest: Windows 10 Version 21H2 (OS Build 19044.1288)

Steps to reproduce

AMD hardware was used
Apply AMD patch to kvm-introvirt. Use branch ubuntu/focal/Ubuntu-5.4.0-122.138 on my fork of kvm-introvirt
Create Windows 10 VM on kvm host to test introspection
Run ivguestinfo -D guest name

Relevant logs and/or screenshots

root@introvirt:/home/dev/IntroVirt# ivguestinfo -D win10-1
TRACE : libintrovirt v0.57.3-1-g6706bab: DEBUG=1 Optimized=0
 WARN : You are running an unoptimized build of libintrovirt!
TRACE : Domain win10-1 attached vcpu 0
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 0 resumed
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 0 resumed
DEBUG : Domain win10-1 Vcpu0 intercept_exception(INT3, 1)
TRACE : Domain win10-1 attached vcpu 1
TRACE : Domain 91212 Vcpu 1 paused
TRACE : Domain 91212 Vcpu 1 resumed
TRACE : Domain 91212 Vcpu 1 paused
TRACE : Domain 91212 Vcpu 1 resumed
DEBUG : Domain win10-1 Vcpu1 intercept_exception(INT3, 1)
DEBUG : Domain win10-1 attached 2 vcpus
TRACE : Domain 91212 Vcpu 0 paused
DEBUG : Domain win10-1 Vcpu 0: Loading registers for paused VCPU
TRACE : Domain 91212 Vcpu 0 resumed
DEBUG : Attempting OS detection...
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 1 paused
DEBUG : Domain win10-1 Vcpu 0 intercept_cr_writes(3, 1)
TRACE : Domain 91212 Vcpu 0 resumed
TRACE : Domain 91212 Vcpu 1 resumed
TRACE : Received event for VCPU 0:1 Type: EVENT_CR_WRITE
TRACE : Domain 91212 Vcpu 0 paused
TRACE : Domain 91212 Vcpu 1 paused
DEBUG : Using event VCPU 0
DEBUG : Starting NT kernel search at address 0xFFFFF80136408000
DEBUG : Virtual address 0xFFFFF801361FF000 not present
 0# introvirt::TraceableException::IMPL::IMPL() in /lib/libintrovirt.so
 1# std::_MakeUniq<introvirt::TraceableException::IMPL>::__single_object std::make_unique<introvirt::TraceableException::IMPL>() in /lib/libintrovirt.so
 2# introvirt::TraceableException::TraceableException(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/TraceableException.cc:45
 3# introvirt::MemoryException::MemoryException(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/MemoryException.cc:21
 4# introvirt::VirtualAddressNotPresentException::VirtualAddressNotPresentException(unsigned long, unsigned long) at /home/dev/IntroVirt/src/core/exception/VirtualAddressNotPresentException.cc:28
 5# introvirt::x86::PageDirectory::translate(unsigned long, unsigned long) const at /home/dev/IntroVirt/src/core/arch/x86/PageDirectory.cc:203
 6# void introvirt::basic_guest_ptr<unsigned short, void, false, void>::_remap<false, (void*)0>() at /home/dev/IntroVirt/include/introvirt/core/memory/guest_ptr.hh:795
 7# introvirt::basic_guest_ptr<unsigned short, void, false, void>::_reset(unsigned long, unsigned long) at /home/dev/IntroVirt/include/introvirt/core/memory/guest_ptr.hh:865
 8# introvirt::basic_guest_ptr<unsigned short, void, false, void>& introvirt::basic_guest_ptr<unsigned short, void, false, void>::operator-=<unsigned long>(unsigned long) at /home/dev/IntroVirt/include/introvirt/core/memory/guest_ptr.hh:637
 9# introvirt::windows::nt::NtKernelImpl<unsigned long>::NtKernelImpl(introvirt::windows::WindowsGuest&) at /home/dev/IntroVirt/src/windows/kernel/nt/NtKernelImpl.cc:392
10# void std::_Optional_base_impl<introvirt::windows::nt::NtKernelImpl<unsigned long>, std::_Optional_base<introvirt::windows::nt::NtKernelImpl<unsigned long>, false, false> >::_M_construct<introvirt::windows::WindowsGuestImpl<unsigned long>&>(introvirt::windows::WindowsGuestImpl<unsigned long>&) at /usr/include/c++/9/optional:419
11# std::enable_if<is_constructible_v<introvirt::windows::nt::NtKernelImpl<unsigned long>, introvirt::windows::WindowsGuestImpl<unsigned long>&>, introvirt::windows::nt::NtKernelImpl<unsigned long>&>::type std::optional<introvirt::windows::nt::NtKernelImpl<unsigned long> >::emplace<introvirt::windows::WindowsGuestImpl<unsigned long>&>(introvirt::windows::WindowsGuestImpl<unsigned long>&) at /usr/include/c++/9/optional:849
12# introvirt::windows::WindowsGuestImpl<unsigned long>::WindowsGuestImpl(introvirt::Domain&) at /home/dev/IntroVirt/src/windows/WindowsGuestImpl.cc:515
13# std::_MakeUniq<introvirt::windows::WindowsGuestImpl<unsigned long> >::__single_object std::make_unique<introvirt::windows::WindowsGuestImpl<unsigned long>, introvirt::DomainImpl&>(introvirt::DomainImpl&) at /usr/include/c++/9/bits/unique_ptr.h:857
14# introvirt::DomainImpl::detect_guest() at /home/dev/IntroVirt/src/core/domain/DomainImpl.cc:352
15# main at /home/dev/IntroVirt/tools/ivguestinfo.cc:98
16# __libc_start_main in /lib/x86_64-linux-gnu/libc.so.6
17# _start in ivguestinfo

TRACE : Domain 91212 Vcpu 0 resumed
TRACE : Domain 91212 Vcpu 1 resumed
DEBUG : Failed to detect WindowsGuest: Domain win10-1 failed guest detection: Virtual address 0xFFFFF801361FF000 not present
 0# introvirt::TraceableException::IMPL::IMPL() in /lib/libintrovirt.so
 1# std::_MakeUniq<introvirt::TraceableException::IMPL>::__single_object std::make_unique<introvirt::TraceableException::IMPL>() in /lib/libintrovirt.so
 2# introvirt::TraceableException::TraceableException(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/TraceableException.cc:45
 3# introvirt::GuestDetectionException::GuestDetectionException(introvirt::Domain const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) at /home/dev/IntroVirt/src/core/exception/GuestDetectionException.cc:29
 4# introvirt::windows::WindowsGuestImpl<unsigned long>::WindowsGuestImpl(introvirt::Domain&) at /home/dev/IntroVirt/src/windows/WindowsGuestImpl.cc:528
 5# std::_MakeUniq<introvirt::windows::WindowsGuestImpl<unsigned long> >::__single_object std::make_unique<introvirt::windows::WindowsGuestImpl<unsigned long>, introvirt::DomainImpl&>(introvirt::DomainImpl&) at /usr/include/c++/9/bits/unique_ptr.h:857
 6# introvirt::DomainImpl::detect_guest() at /home/dev/IntroVirt/src/core/domain/DomainImpl.cc:352
 7# main at /home/dev/IntroVirt/tools/ivguestinfo.cc:98
 8# __libc_start_main in /lib/x86_64-linux-gnu/libc.so.6
 9# _start in ivguestinfo

TRACE : Completing event 1
TRACE : KvmVcpu::complete_event() completed

...

Additional context or possible fixes

potential fix for this bug

Add integration tests for IntroVirt

Existing problem

There are no tests to ensure the functionality of IntroVirt.

Solution / Summary

A job will be added to github actions to use the vagrant box made in kvm-introvirt:issue-4, to install introvirt, provision a guest windows with libvirt, and run ivguestinfo on the guest.

Alternative considerations

N/A

Additional context

vagrant box will be pull from my vagrant cloud

Acceptance Criteria

All jobs pass
ivguestinfo is able to detected the kernel for the windows guest vm.

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.