[KeBugCheck]

Hello friends :D ,

I would like to set up a virtual machine monitor using Microsoft Hyper-V, VMware vSphere/ESX, Xen, or any other alternative hypervisor solution that is able to monitor the execution of a guest OS (a VM within the VMM).

In particular, I'd like to be able to view the guest OS' instructions before they are run by the virtual CPU. Additionally, I'd also like to be able to set monitors on some of the guest OS' CPU registers so if they are modified (e.g. on write with a MOV instruction), the guest's state will be suspended at the location where the write occurred (and the rip/eip will point to that instruction).

I've been searching for a VMM solution that exposes a way to accomplish my goals, but I couldn't find anything.

Does anyone know what the best way of approaching such a thing is? Any recommendations on the hypervisor that I should be using? (I'm guessing that Xen would probably be easiest to modify and debug since it's open source)

Thanks a lot.

Cheers,

[kareldjag/michk]

Hi
i had a focus about VM threats, not for the same needs.
Maybe debugging is enough for your goal? For the Windows kernel only or also in *nix systems?
I remeber a tool presented at SSTIC, the French blackHats, and called VirtDbg that use virtualization
https://code.google.com/p/virtdbg/
Presentation http://esec-lab.sogeti.com/dotclear/pub ... slides.pdf
It is enough for read/write tasksm memory and registers inspection etc.
Regarding Hypervizor, there is only a very few open source ones.
Bitvisor is certainly the most mature of them, made in the country of Ranpo Edogawa, Dragon Ball or http://www.kernelmode.info/forum/member ... ile&u=2815
Bitvisor http://www.bitvisor.org
There is also Ramooflax, already discussed here
https://github.com/sduverger/ramooflax
http://www.kernelmode.info/forum/viewto ... =11&t=1481
More over i guess that most VM/emulator solutions, proprietary or open source provide internals tools or commands to debug the guest environment.
As a plus, there is also Acteon, discussed on this board http://s3.eurecom.fr/tools/actaeon/
VM analysis in general, from a forensic angle, can suffer from reliability and false positive, as for instance any usb device inserted can change and alter the parameters, and make evidences definitively lapsed...
Leave and let live the VM...

Rgds

[feryno]

In particular, I'd like to be able to view the guest OS' instructions before they are run by the virtual CPU. Additionally, I'd also like to be able to set monitors on some of the guest OS' CPU registers so if they are modified (e.g. on write with a MOV instruction), the guest's state will be suspended at the location where the write occurred (and the rip/eip will point to that instruction).

suspending guest state at CPU is not problem but I suggest to susped also other CPUs (else OS watchdog timer may BSOD if some CPU doesn't respond in some timeout)

when all CPUs are suspended you have a problem how to communicate with such system - you have to send output and get input usually via some cable (serial, USB, firewire, LAN etc) - if you dislike to have 2 connected PCs and want to have only 1 PC then in theory you can easily read from PS/2 keyboard I/O ports and write directly to framebuffer of the graphic card but that also requires to solve a lot of problems (e.g. today standard is USB keyboard, not PS/2 and framebuffers are implemented in various ways)

I've been searching for a VMM solution that exposes a way to accomplish my goals, but I couldn't find anything.

Does anyone know what the best way of approaching such a thing is? Any recommendations on the hypervisor that I should be using? (I'm guessing that Xen would probably be easiest to modify and debug since it's open source)

You can easily watch watch instructions like mov to/from debug registers, mov to/from control registers, RDMSR/WRMSR, I/O port access instructions.
At early stages of your development I suggest not to suspend OS running in guest but I suggest to store vm exits info in some memory buffer so you can later analyze it from running OS.
You have to decide whether to load the hypervisor before OS (UEFI app or driver or BIOS bootkit) or from running OS (ring0 driver).

I little off topic:
About Acteon project:
I saw in latest Intel CPUs (Xeon E3 1230 v3 = Haswell, I don't know yet whether the same is in desktop Haswells) that the VMCS is almost empty and every info is stored in CPU caches, not in memory. Actaeon can't find VMCS at these CPUs

[KeBugCheck]

Yeah, I already figured out how to do this a lot simpler :) ! Thanks for your comments though.

VMWare lets you debug the guest OS https://www.hex-rays.com/products/ida/s ... vmware.pdf through a GDB stub.
Additionally, VirtualBox has a built-in VMM debugger.

They can accomplish what I want.

[EP_X0FF]

Split.