Question about setup test vm. about nitro HOT 22 OPEN

The win7 VM is created using a packer template.
Then, with the import_libvirt.py script, you can view it in virt-manager.

Read closely the README.

from nitro.

When i run ./main.py --nobackend win7,it reports errors,how can i fix it?

from nitro.

And after i install libvmi,then i run ./main.py --nobackend win7,it still exits errors.

from nitro.

Read the error messages.
too many aruments to function X
There is an API mismatch between your installed libvmi version and the one i'm using in Nitro.

Have you installed the nitro branch version of libvmi ? or just pulled master ?

from nitro.

For the question exists in the first picture i uploaded,did it means i should install libvmi and then i can run ./main.py --nobackend win7?

from nitro.

the --nobackend option was meant to just listen to raw hardware events.
Libvmi is only required in the backend, to rebuild the context of the virtual machine.

In the first picture you uploaded, the error state that CFFI tried to compile the libvmi wrapper, but you were lacking a compiler, gcc for example.

from nitro.

But i have installed gcc,am i lack of other packages?

from nitro.

@bigbigbanana please to try google and search by yourself.
This was really easy to figure out.
First link on google.
https://stackoverflow.com/questions/26053982/error-setup-script-exited-with-error-command-x86-64-linux-gnu-gcc-failed-wit

from nitro.

I have solved the above questions by installing libvmi used in nitro,thank you for your suggestions!But i have a question,the rax register stores syscall number,but in th picture,i found 0x1002,0x10162 and so on,these syscall numbers should not be so big,are these results wrong?

from nitro.

Windows has 2 main SSDT : the NT and the win32k syscall tables.
To differentiate between them, Windows sets a prefix which will should which SSDT to use for a given syscall number.
Take a look at Windows Internals.

from nitro.

When i run ./main.py win7,there exists some errors,what's wrong with it?

from nitro.

Install docopt from your package manager. It's available in your distro.

Also nitro is python3 but you are using pip2 not pip3 here

from nitro.

But i indeed use python3 to install cffi,docopt,ioctl-opt and in nitro repo,i use python3 ./setup.py install order to install the required installation packages,but there still exists errors.

from nitro.

You need docopt for python2 also. Nitro is calling a symbols.py python2 with subprocess which imports docopt.

from nitro.

I used apt-get install python-docopt and after that i run ./main.py win7,it shows no module named rekall but i have installed rekall.

from nitro.

which rekall ?
How did you install it ?

from nitro.

I use sudo pip3 install --upgrade setuptools pip wheel and sudo pip3 install rekall orders to install rekall.

from nitro.

You have installed the python3 release of Rekall.
However our symbols.py is Python2, and therefore searches for Rekall modules in the Python2 search path.
You can use the same commands you used to install Rekall, but with pip2 instead, it will work.

from nitro.

Reason we have not switched to Rekall python3 is that the latest official release contains some bugs that are only fixed in the upstream git repository.
We are waiting for the next release of Rekall.

from nitro.

@Wenzel
Hello,as the output of captured linux vm's syscalls is seperated,if i want to get the singe process's full syscalls like the picture below shows,how can i achieve this?Could you give me some advices?

from nitro.

Just post-process the JSON with Python.

from nitro.

Hello,i want to get sin_port and ip_addr of connect syscall,i use libvmi.read32(the base addr of struct sockaddr_in+offset of sin_port,pid),but i got wrong results.Is this method wrong?

from nitro.