Setting up LibVMI and Drakvuf

tested on Slackware/14.2, Devuan/ascii with XEN 4.11 rc6

Introduction

There is no need to install XEN and LibVMI specifically from the submodules of the Drakvuf GIT repository. We can use the latest XEN release and the current GIT repo from LibVMI.

Also this helps after each make install for the chain of software compilation to work across each other,

cat /etc/ld.so.conf
echo /usr/local/lib >> /etc/ld.so.conf
ldconfig
#tail ~/.bashrc
#echo "export LD_LIBRARY_PATH=\$LD_LIBRARY_PATH:/usr/local/lib" >> ~/.bashrc
#source ~/.bashrc

And for Drakvuf to compile on Slackware with LibVMI dep this was particularly helpful – thanks to ##workingset on Freenode,

export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib/pkgconfig
#cat /usr/local/lib/pkgconfig/libvmi.pc
#CFLAGS="-I/usr/local/include" LIBS="-L/usr/local/lib" ./configure --enable-debug 

Requirements

Intel EPT or AMD RVI (most probably Drakvuf only implements EPT as altp2m is for Intel)

On Slackware,

sbopkg -i msr-tools

On Debian,

apt install msr-tools

check for Monitor Trap Flag (MTF), should return 1,

modprobe msr
rdmsr --bitfield 59:59 $((0x00000482))

otherwise you will get this error when trying to run Drakvuf,

Failed to register singlestep for vCPU 0

Switch to XEN 4.11

On my system, Drakvuf failed to work with XEN 4.9 and 4.10, I had to switch to XEN 4.11 rc6.

Some hints to compile XEN over here. There is no need to compile/install stubdom indeed — as described on the Drakvuf Home Page and guide. A list of required Ubuntu packages is provided on that page but those are missing for the xen compilation target,

apt install libpython-dev
apt install fig2dev pandoc markdown
apt install libnl-3-dev libnl-route-3-dev

Add this boot argument to xen.gz,

altp2m=1

The hap=false setting crashes the whole system, probably at the hypervisor level, when running Drakvuf. The hap_1gb=false hap_2mb=false settings do work. The dom0_mem, dom0_max_vcpus and dom0_vcpus_pin settings are not required for Drakvuf.

The XEM HVM guest config as usual but add,

altp2m = "external"

and replace memory by maxmem.

LibVMI

#apt install libxen-dev
git clone https://github.com/libvmi/libvmi.git
cd libvmi
./autogen.sh
./configure --enable-debug --disable-kvm
make -j4
make install
ldconfig

we now have a few tools available,

vmi-dump-memory
vmi-module-list
vmi-process-list
vmi-win-guid

In case you are playing with LibVMI alone without Rekall, into the guest,

#tar xzf linux-offset-finder.tar.gz 
git clone https://github.com/libvmi/libvmi.git
cd libvmi/tools/linux-offset-finder/
make

load and unload the offset module and you will get the vmi config out of the logs,

insmod findoffsets.ko
tail -9 /var/log/syslog | sed -r 's/^.*] //'
rmmod findoffsets

and configure LibVMI onto the dom0 or XSM-empowered guest,

vi /etc/libvmi.conf

then retrieve the kernel map from the guest to the dom0,

#scp xenial:/boot/System.map-4.4.0-21-generic .
scp root@devuanhvm:/boot/System.map-4.9.0-6-amd64 .

If you use Rekall further below, the syntax changes e.g.,

xenial {
    ostype = "Linux";
    rekall_profile = "/root/xenial.json";
}

Rekall

pip install --upgrade setuptools pip wheel
pip install --upgrade rekall
pip list | grep rekall

#git clone https://github.com/google/rekall.git
#cd rekall
#pip install -r requirements.txt
#python setup.py build
#python setup.py install --record files.txt

Ref. http://structure.usc.edu/python/inst/standard-install.html

And for rekal convert_profile to run later-on, one messed-up dependency had to be fixed on Devuan/ascii,

pip install --upgrade pyasn1

While on Slackware this was needed,

pip uninstall pika-pool
pip install pika-pool
pip install rekall

Into the guest (domU, here a Debian system),

apt-get install git zip linux-headers-$(uname -r) build-essential
git clone --depth=1 https://github.com/google/rekall
cd rekall/tools/linux
make

Then onto the host (dom0),

#scp root@xenial:/root/rekall/tools/linux/4.4.0-21-generic.zip .
#rekall convert_profile 4.4.0-21-generic.zip ~/xenial.json
#rekall convert_profile 3.16.0-4-amd64.zip ~/linux.json

scp root@devuanhvm:/root/rekall/tools/linux/4.9.0-6-amd64.zip .
rekall convert_profile 4.9.0-6-amd64.zip ~/devuanhvm.json

Drakvuf

git clone https://github.com/tklengyel/drakvuf.git
cd drakvuf
autoreconf -vi

enable debug,

./configure --enable-debug

alternatively, disable all the plugins,

#./configure --enable-debug --disable-plugin-syscalls --disable-plugin-poolmon --disable-plugin-filetracer --disable-plugin-filedelete --disable-plugin-objmon --disable-plugin-exmon --disable-plugin-ssdtmon --disable-plugin-debugmon --disable-plugin-cpuidmon --disable-plugin-socketmon --disable-plugin-regmon --disable-plugin-procmon

and compile,

make -j4

run normally,

#src/drakvuf -r /root/xenial.json -d xenial
src/drakvuf -r /root/devuanhvm.json -d devuanhvm

run with debug -v,

src/drakvuf -v -r /root/xenial2.json -d xenial2 2> /var/tmp/drakvuf.debug.xenial2.`date +%s`.stderr.txt

References

Books & Papers

VMI Videos