Awesome
<h1 align="center"> <br>KVM-VMI</br> </h1> <h3 align="center"> KVM-based Virtual Machine Instrospection. </h3> <p align="center"> <a href="https://kvm-vmi.slack.com"> <img src="https://img.shields.io/badge/Slack-KVM--VMI-important" alt="Slack"> </a> <a href="mailto:mathieu.tarral@protonmail.com"> <img src="https://img.shields.io/badge/📧-Ask Slack Invite-blue"> <a> <a href="https://kvm-vmi.github.io/kvm-vmi/master/"> <img src="https://img.shields.io/badge/📖-Documentation-green"> <a> </p>Table of Contents
Overview
This project adds virtual machine introspection to the KVM hypervisor.
Virtual Machine Introspection is a technology that aims to understand the guest's execution context, solely based on the VM's hardware state, for various purposes:
- Debugging
- Malware Analysis
- Live-Memory Analysis
- OS Hardening
- Monitoring
- Fuzzing
See the presentations section for more information.
This project is divided into 4 components:
kvm
: linux kernel with vmi patches for KVMqemu
: patched to allow introspectionnitro
(legacy): userland library which receives events, introspects the virtual machine state, and fills the semantic gaplibvmi
: virtual machine instrospection library with unified API acrossXen
andKVM
At the moment, 2 versions of VMI patches are available for QEMU/KVM
in this repository:
Installation
Follow the Setup guide
Presentations
- Bringing Commercial Grade Virtual Machine Introspection to KVM
- KVM Forum 2019: Advanced VMI on KVM - A Progress Report
- Hack.lu 2019: Leveraging KVM as a Debugging Platform
- Advanced VMI on KVM: A Progress Report
References
The legacy VMI system contained in this repo (Nitro) is based on Jonas Pfoh
's work: