LIBVMI 功能介绍 - virtManagement/monitorSystem GitHub Wiki

LIBVMI 功能介绍


## 一、Libvmi基本介绍 >     LibVMI是一套支持Python语言绑定的C语言库。通过这套库,能使我们更方便的通过查看虚拟机内存、获取VCPU寄存器的数据以及自陷硬件事件等方式监控虚拟机的一些底层详细信息。这种在虚拟机外部做监控的方式称为虚拟机自省。

二、Libvmi支持的平台

  • 支持的系统架构:Intel、AMD64、ARM
  • 支持的虚拟化技术:xen(3.x through 4.1)、kvm (with patch against QEMU-KVM 0.14)
  • 支持被监控的系统类型:windows、Linux(64-bit support in version 0.8 and newer)

三、Libvmi获取数据的来源及方式

数据来源

  • 通过读取物理内存
  • 读取虚拟内存
  • 读取操作系统及应用程序级的符号表
  • pausing and unpausing a VM, printing binary data,
  • reading physical memory snapshots when saved as a file. (e.g., VMWare snapshots)

获取数据的方法

  • 通过注册寄存器或者内存事件,当寄存器和内存发生事件时,通过回调函数获取事件的具体信息

四、Libvmi支持的开发语言

  • 提供原生C语言开发库(LibVMI)
  • 支持Python语言绑定(PyVMI)

五、Libvmi能实现的功能 [核心部分Features]

  • Volatility address space plugin enabled running Volatility on a live VM

  • Read and write arbitrary data from and to memory

  • Access memory using physical addresses, virtual addresses, or kernel symbols

  • Parse kernel symbols dynamically from running Windows kernel while also providing access to symbols from the KPCR table

  • Load Linux kernel symbols from system map file

  • Expose useful address translation functions through API functions to resolve kernel symbols to a virtual address or translate a kernel or user virtual address into a physical address

  • Pause/unpause the VM through an API function

  • Write your introspection code once and have it work across multiple virtualization platforms

  • 主要通过获取虚拟机的寄存器和内存数据来获取虚拟机的状态信息

    • 通过获取内存中进程数据结构链表获取系统中运行的进程列表
    • 通过读取寄存器与内存数据,跟踪一个进程执行的系统调用过程,可以用于分析病毒的行为
    • 通过注册指定内存区域,当内存区域发生读写操作时,产生内存事件,监听并处理此事件来获取指定内存区域的状况

六、Libvmi核心API介绍

  1. 核心数据结构
vmi_instance_t  //  Struct that holds instance information

事件
vmi_event_t  
01794 /*---------------------------------------------------------
01795  * Event management
01796  */
01797 
01798 /* The types of events that can be requested of hypervisors with requisite
01799  *  features.
01800  */
01801 typedef enum {
01802     VMI_EVENT_INVALID,
01803     VMI_EVENT_MEMORY,    /* Read/write/execute on a region of memory */
01804     VMI_EVENT_REGISTER,  /* Read/write of a specific register */
01805     VMI_EVENT_SINGLESTEP,/* Instructions being executed on a set of VCPUs */
01806     VMI_EVENT_INTERRUPT  /* Interrupts being delivered */
01807 } vmi_event_type_t;

01971 struct vmi_event;
01972 typedef struct vmi_event vmi_event_t;
  1. 核心接口函数
初始化vmi_instance_t接口的接口函数
status_t vmi_init (vmi_instance_t *vmi, uint32_t flags, const char *name)
......

读写寄存器数据的接口
status_t vmi_get_vcpureg (vmi_instance_t vmi, reg_t *value, registers_t reg, unsigned long vcpu)
status_t vmi_set_vcpureg (vmi_instance_t vmi, reg_t value, registers_t reg, unsigned long vcpu)
......

读写内存数据的接口很多vmi_read_32_va
vmi_read_str_va
vmi_read_addr_va
......

地址转换接口很多 虚拟地址-物理地址-内核符号地址addr_t vmi_translate_kv2p (vmi_instance_t vmi, addr_t vaddr)
addr_t vmi_translate_uv2p (vmi_instance_t vmi, addr_t vaddr, vmi_pid_t pid)
addr_t vmi_translate_ksym2v (vmi_instance_t vmi, const char *symbol)
......

获取vm基本信息的接口
uint64_t vmi_get_memsize (vmi_instance_t vmi)
unsigned int vmi_get_num_vcpus (vmi_instance_t vmi)
os_t vmi_get_ostype (vmi_instance_t vmi)
uint8_t vmi_get_address_width (vmi_instance_t vmi)
......

事件接口
status_t vmi_register_event (vmi_instance_t vmi, vmi_event_t *event)
vmi_event_t* vmi_get_mem_event (vmi_instance_t vmi, addr_t physical_address, vmi_memevent_granularity_t granularity)
status_t vmi_events_listen (vmi_instance_t vmi, uint32_t timeout)
......

七、Libvmi 相关网站

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️