[p4r4n0id]

Actaeon is a tool to perform memory forensics of virtualization environments. Starting from a physical memory dump, Actaeon can achieve three important goals:

1) locate any Hypervisor (virtual machine monitor) that uses the Intel VT-x technology,
2) detect and analyze nested virtualization and show the relationships among different hypervisors running on the same machine
3) provide a transparent mechanism to recognize and support the address space of the virtual machines.

http://s3.eurecom.fr/tools/actaeon/

[feryno]

Hi, p4r4n0id, thank for sharing interesting link.

from the Intro page:

Actaeon adopts a hypervisor-agnostic approach, based on locating the VMCS data structure in memory.

I just wonder how it could find VMCS if malicious hypervisor uses EPT to make its memory not present for guest and protects its memory using VT-d against DMA attacks.
Anyway it is necessary to be prepared for such possible malware.

[p4r4n0id]

Hi, p4r4n0id, thank for sharing interesting link.

from the Intro page:

Actaeon adopts a hypervisor-agnostic approach, based on locating the VMCS data structure in memory.

I just wonder how it could find VMCS if malicious hypervisor uses EPT to make its memory not present for guest and protects its memory using VT-d against DMA attacks.
Anyway it is necessary to be prepared for such possible malware.

Good point! no idea :)