8000 GitHub - IntroVirt/IntroVirt: IntroVirt is an guest introspection library for KVM
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

IntroVirt/IntroVirt

BranchesTags

Repository files navigation

IntroVirt

Description

IntroVirt, short for introspective virtualization, is a customized Hypervisor and library that provides a robust virtual machine introspection (VMI) application programming interface (API). VMI is the process of looking at the memory contents of a virtual machine during runtime. By applying knowledge of the guest operating system, introspection can be used for a variety of applications, including reverse engineering, debugging software, and securing guest VMs by limiting access to files or limiting an executing application’s functionality.

IntroVirt consists of three components: a patched version of the KVM Hypervisor, the IntroVirt userland library, and a Microsoft Program Database (MS PDB) parsing library libmspdb.

Quick start

GitHub release (latest by date)

  1. Make sure SecureBoot is disabled on your system (you can also run IntroVirt nested in KVM)

    • If someone wants to help me figure out a way around this please do!

  2. Download the latest release for your Ubuntu version and install

    wget https://github.com/IntroVirt/IntroVirt/releases/latest/download/Ubuntu-$(lsb_release -sc)-$(lsb_release -sr).tar.xz
tar -Jxvf Ubuntu-$(lsb_release -sc)-$(lsb_release -sr).tar.xz
cd Ubuntu-$(lsb_release -sc)-$(lsb_release -sr)
sudo apt install ./*.deb

  3. Make sure all VMs on the current system are off before installing kvm-introvirt.

  4. Download and install the latest kvm-introvirt release that matches your kernel version (uname -a). If one does not exist, see the instructions in the kvm-introvirt READEME.md for how to build it yourself and please submit an issue for support.

    • We try to keep up with the latest kernel for each supported LTS. If you are behind, consider updating.
    wget https://github.com/IntroVirt/kvm-introvirt/releases/latest/download/kvm-introvirt-$(uname -r).$(lsb_release -sr)-1.0.0.deb
sudo apt install ./kvm-introvirt-$(uname -r).$(lsb_release -sr)-1.0.0.deb

  5. Test with: sudo ivversion

  6. Get a live system call trace from a running Windows 10 VM: sudo ivsyscallmon -D win10-22H2

    • This assumes you've installed a Windows 10 22H2 VM, named it "win10-22H2" and it is running.

demo

Supported Kernels

Ditro Latest Supported Kernel Status
18.04 HWE 5.4.0-150-generic EoL
20.04 HWE 5.15.0-119-generic Supported
22.04 HWE 6.5.0-35-generic Supported
24.04 HWE 6.8.0-41-generic Supported

Supported Introspection Targets

IntroVirt is used to introspect a running virtual machine. The current release of IntroVirt supports Windows XP through Windows 10 22H2. Newer versions of Windows 10 may work, but you may experience unhandled exceptions in the user-land tools for changes to the Windows kernel that IntroVirt has not been updated for yet (hopefully soon though). Windows 11 is completely untested...so feel free to give it a try, though it will likely not work.

OS Latest Supported Version Status
Windows XP All EoL
Windows 7 All EoL
Windows 10 22H2 Supported
Windows 11 None Unsupported (yet)

Building on Ubuntu Linux

First, build and install libmspdb and kvm-introvirt

Then, build from source:

sudo apt-get install -y \
    python3 python3-jinja2 cmake make build-essential libcurl4-openssl-dev libboost-dev \
    libboost-program-options-dev git clang-format liblog4cxx-dev libboost-stacktrace-dev \
    doxygen

git clone https://github.com/IntroVirt/IntroVirt.git
cd IntroVirt/build
cmake ..
make -j

Debian packages can then be built and installed (recommended):

make package
sudo apt install ./*.deb

Or make can be used directly to install:

sudo make install

Confirm everything is installed with: sudo ivversion

Building deb package for release

The deps for these steps can be installed with: sudo apt install debhelper devscripts

  1. If releasing a new version, bump the version number in CMakeLists.txt in these lines 
    SET(PACKAGE_MAJOR_VERSION #)
SET(PACKAGE_MINOR_VERSION #)
SET(PACKAGE_PATCH_VERSION #)
  2. First copy the distro-specific files into place and update the changelog 
    export DEBEMAIL="youremail@domain.com"
cp ./debian/control.$(lsb_release -c -s 2> /dev/null) ./debian/control
cp ./debian/changelog.$(lsb_release -c -s 2> /dev/null) ./debian/changelog
dch -i # a message about what happened
cp ./debian/changelog ./debian/changelog.$(lsb_release -c -s 2> /dev/null)
  3. To build the .deb files 
    ./scripts/build_release.sh
  4. Make sure to git add -u and git commit the modification to the distro-specific changelog

Usage Instructions

The included IntroVirt tools have their own usage instructions. See the tools/ folder.

You can try system call monitoring with sudo ivsyscallmon -D <domain>. See sudo ivsyscallmon --help for more information.

Resources

IntroVirt provides some useful resources to learn how to use it including:

  • Documentation: TBD
  • Examples: TBD
  • Unit Tests: TBD

If you have any questions, bugs, or feature requests, please feel free to ask on any of the following:

If you would like to help:

License

IntroVirt is licensed under the Apache v2.0 License.

Interested In Working For AIS?

Check out our Can You Hack It?® challenge and test your skills! Submit your score to show us what you’ve got. We have offices across the country and offer competitive pay and outstanding benefits. Join a team that is not only committed to the future of cyberspace, but to our employee’s success as well.

ais

Related

If you’re interested in IntroVirt, you might also be interested in the following projects:

About

IntroVirt is an guest introspection library for KVM

Topics

kvm introspection hypervisors

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

54 stars

Watchers

9 watching

Forks

13 forks
Report repository

Releases 2

v0.57.4 Latest
Aug 30, 2024
+ 1 release

Packages

No packages published

Contributors 5

Languages
0