tested on Slackware/14.2, Devuan/ascii with XEN 4.11 rc6
vmi-dump-memory only against HVM)There is no need to install XEN and LibVMI specifically from the submodules of the Drakvuf GIT repository. We can use the latest XEN release and the current GIT repo from LibVMI.
Also this helps after each make install for the chain of software compilation to work across each other,
cat /etc/ld.so.conf echo /usr/local/lib >> /etc/ld.so.conf ldconfig #tail ~/.bashrc #echo "export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:/usr/local/lib" >> ~/.bashrc #source ~/.bashrc
And for Drakvuf to compile on Slackware with LibVMI dep this was particularly helpful – thanks to ##workingset on Freenode,
export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib/pkgconfig #cat /usr/local/lib/pkgconfig/libvmi.pc #CFLAGS="-I/usr/local/include" LIBS="-L/usr/local/lib" ./configure --enable-debug
Intel EPT or AMD RVI (most probably Drakvuf only implements EPT as altp2m is for Intel)
On Slackware,
sbopkg -i msr-tools
On Debian,
apt install msr-tools
check for Monitor Trap Flag (MTF), should return 1,
modprobe msr rdmsr --bitfield 59:59 $((0x00000482))
otherwise you will get this error when trying to run Drakvuf,
Failed to register singlestep for vCPU 0
On my system, Drakvuf failed to work with XEN 4.9 and 4.10, I had to switch to XEN 4.11 rc6.
Some hints to compile XEN over here. There is no need to compile/install stubdom indeed — as described on the Drakvuf Home Page and guide. A list of required Ubuntu packages is provided on that page but those are missing for the xen compilation target,
apt install libpython-dev apt install fig2dev pandoc markdown apt install libnl-3-dev libnl-route-3-dev
Add this boot argument to xen.gz,
altp2m=1
The hap=false setting crashes the whole system, probably at the hypervisor level, when running Drakvuf. The hap_1gb=false hap_2mb=false settings do work. The dom0_mem, dom0_max_vcpus and dom0_vcpus_pin settings are not required for Drakvuf.
The XEM HVM guest config as usual but add,
altp2m = "external"
and replace memory by maxmem.
#apt install libxen-dev git clone https://github.com/libvmi/libvmi.git cd libvmi ./autogen.sh ./configure --enable-debug --disable-kvm make -j4 make install ldconfig
we now have a few tools available,
vmi-dump-memory vmi-module-list vmi-process-list vmi-win-guid
In case you are playing with LibVMI alone without Rekall, into the guest,
#tar xzf linux-offset-finder.tar.gz git clone https://github.com/libvmi/libvmi.git cd libvmi/tools/linux-offset-finder/ make
load and unload the offset module and you will get the vmi config out of the logs,
insmod findoffsets.ko tail -9 /var/log/syslog | sed -r 's/^.*] //' rmmod findoffsets
and configure LibVMI onto the dom0 or XSM-empowered guest,
vi /etc/libvmi.conf
then retrieve the kernel map from the guest to the dom0,
#scp xenial:/boot/System.map-4.4.0-21-generic . scp root@devuanhvm:/boot/System.map-4.9.0-6-amd64 .
If you use Rekall further below, the syntax changes e.g.,
xenial {
ostype = "Linux";
rekall_profile = "/root/xenial.json";
}
pip install --upgrade setuptools pip wheel pip install --upgrade rekall pip list | grep rekall #git clone https://github.com/google/rekall.git #cd rekall #pip install -r requirements.txt #python setup.py build #python setup.py install --record files.txt
Ref. http://structure.usc.edu/python/inst/standard-install.html
And for rekal convert_profile to run later-on, one messed-up dependency had to be fixed on Devuan/ascii,
pip install --upgrade pyasn1
While on Slackware this was needed,
pip uninstall pika-pool pip install pika-pool pip install rekall
Into the guest (domU, here a Debian system),
apt-get install git zip linux-headers-$(uname -r) build-essential git clone --depth=1 https://github.com/google/rekall cd rekall/tools/linux make
Then onto the host (dom0),
#scp root@xenial:/root/rekall/tools/linux/4.4.0-21-generic.zip . #rekall convert_profile 4.4.0-21-generic.zip ~/xenial.json #rekall convert_profile 3.16.0-4-amd64.zip ~/linux.json scp root@devuanhvm:/root/rekall/tools/linux/4.9.0-6-amd64.zip . rekall convert_profile 4.9.0-6-amd64.zip ~/devuanhvm.json
git clone https://github.com/tklengyel/drakvuf.git cd drakvuf autoreconf -vi
enable debug,
./configure --enable-debug
alternatively, disable all the plugins,
#./configure --enable-debug --disable-plugin-syscalls --disable-plugin-poolmon --disable-plugin-filetracer --disable-plugin-filedelete --disable-plugin-objmon --disable-plugin-exmon --disable-plugin-ssdtmon --disable-plugin-debugmon --disable-plugin-cpuidmon --disable-plugin-socketmon --disable-plugin-regmon --disable-plugin-procmon
and compile,
make -j4
run normally,
#src/drakvuf -r /root/xenial.json -d xenial src/drakvuf -r /root/devuanhvm.json -d devuanhvm
run with debug -v,
src/drakvuf -v -r /root/xenial2.json -d xenial2 2> /var/tmp/drakvuf.debug.xenial2.`date +%s`.stderr.txt