sargx digital garden

Xen & Drakvuf & libVMI

1 min read

https://sci-hub.st/10.1145/2664243.2664252

libVMI -----> libxc/libxs -----> IOCTL -----> Dom0 Kernel -----> Xen Core
 ||               ||              ||              ||                ||
 ||---- Call -----||---- Call ----||-- Syscall ---||-- Hypercall ---||

FUNCTIONS:

drakvuf_init

init_vmi - vmi_init

find_kernbase

inject_trap_mem

register_mem_event

drakvuf_loop - drakvuf_vmi_event_callback

driver_get_vcpureg

driver_set_mem_access

vmi_init_paging

vmi_pagetable_lookup

vmi_read_addr_ksym

vmi_read - vmi_read_x

vmi_write_8_pa

vmi_set_mem_event

vmi_register_event

vmi_events_listen - xen_events_listen

xen_set_mem_access

xen_init_vmi - driver_init_vmi

xen_init_events

FUNCTIONALITY:

Search For KASLR Offset (linux_init)

Rekall & Dwarf Profiles

Events

Set mem access (trapping)

Sycalls (bp injection)

Stealth

XEN Specific

XEN LibVMI Libs wrappers

XEN EMULATE RESPONSE

XEN Linux Osdep

XEN Hypercall IOCTLs (privcmd)

XEN Arm mem_access

DRAKVUF ON ARM/LINUX:

https://arm-drakvuf.blogspot.com/

https://github.com/tklengyel/drakvuf/issues/289

https://github.com/tklengyel/drakvuf/pull/226

![[Untitled 1111.png|https://www.acsac.org/2014/workshops/mmf/Bryan-Payne-An Introduction to Virtual Machione Introspection Using LibVMI.pdf]]

Content

https://github.com/libvmi/libvmi

🌱 Back to Garden

31 items under this folder.