Repository files navigation

IntroVirt, short for introspective virtualization, is a customized Hypervisor and library that provides a robust virtual machine introspection (VMI) application programming interface (API). VMI is the process of looking at the memory contents of a virtual machine during runtime. By applying knowledge of the guest operating system, introspection can be used for a variety of applications, including reverse engineering, debugging software, and securing guest VMs by limiting access to files or limiting an executing application’s functionality.

IntroVirt consists of three components: a patched version of theKVM Hypervisor, theIntroVirt userland library, and a Microsoft Program Database (MS PDB) parsing librarylibmspdb.

1. Make sure SecureBoot is disabled on your system (you can also run IntroVirt nested in KVM)

   • If someone wants to help me figure out a way around this please do!

2. Download the latestrelease for your Ubuntu version and install

   wget https://github.com/IntroVirt/IntroVirt/releases/latest/download/Ubuntu-$(lsb_release -sc)-$(lsb_release -sr).tar.xztar -Jxvf Ubuntu-$(lsb_release -sc)-$(lsb_release -sr).tar.xzcd Ubuntu-$(lsb_release -sc)-$(lsb_release -sr)sudo apt install ./*.deb

3. Make sure all VMs on the current system are off before installing kvm-introvirt.

4. Download and install the latestkvm-introvirt release that matches your kernel version (uname -a). If one does not exist, see the instructions in thekvm-introvirt READEME.md for how to build it yourself and pleasesubmit an issue for support.

   • We try to keep up with the latest kernel for each supported LTS. If you are behind, consider updating.

   wget https://github.com/IntroVirt/kvm-introvirt/releases/latest/download/kvm-introvirt-$(uname -r).$(lsb_release -sr)-1.0.0.debsudo apt install ./kvm-introvirt-$(uname -r).$(lsb_release -sr)-1.0.0.deb

5. Test with:sudo ivversion

6. Get a live system call trace from a running Windows 10 VM:sudo ivsyscallmon -D win10-22H2

   • This assumes you've installed a Windows 10 22H2 VM, named it "win10-22H2" and it is running.

IntroVirt is used to introspect a running virtual machine. The current release of IntroVirt supports Windows XP through Windows 10 22H2. Newer versions of Windows 10 may work, but you may experience unhandled exceptions in the user-land tools for changes to the Windows kernel that IntroVirt has not been updated for yet (hopefully soon though). Windows 11 is completely untested...so feel free to give it a try, though it will likely not work.

First, build and installlibmspdb andkvm-introvirt

Then, build from source:

sudo apt-get install -y \    python3 python3-jinja2 cmake make build-essential libcurl4-openssl-dev libboost-dev \    libboost-program-options-dev git clang-format liblog4cxx-dev libboost-stacktrace-dev \    doxygengit clone https://github.com/IntroVirt/IntroVirt.gitcd IntroVirt/buildcmake ..make -j

Debian packages can then be built and installed (recommended):

make packagesudo apt install ./*.deb

Ormake can be used directly to install:

sudo make install

Confirm everything is installed with:sudo ivversion

The deps for these steps can be installed with:sudo apt install debhelper devscripts

1. If releasing a new version, bump the version number inCMakeLists.txt in these lines

   SET(PACKAGE_MAJOR_VERSION#)SET(PACKAGE_MINOR_VERSION#)SET(PACKAGE_PATCH_VERSION#)

2. First copy the distro-specific files into place and update the changelog

   export DEBEMAIL="youremail@domain.com"cp ./debian/control.$(lsb_release -c -s2> /dev/null) ./debian/controlcp ./debian/changelog.$(lsb_release -c -s2> /dev/null) ./debian/changelogdch -i# a message about what happenedcp ./debian/changelog ./debian/changelog.$(lsb_release -c -s2> /dev/null)

3. To build the.deb files

   ./scripts/build_release.sh

4. Make sure togit add -u andgit commit the modification to the distro-specific changelog

The included IntroVirt tools have their own usage instructions. See thetools/ folder.

You can try system call monitoring withsudo ivsyscallmon -D <domain>. Seesudo ivsyscallmon --help for more information.

IntroVirt provides some useful resources to learn how to use it including:

• Documentation: TBD
• Examples: TBD
• Unit Tests: TBD

If you have any questions, bugs, or feature requests, please feel free to ask on any of the following:

• Chat: TBD
• Issue Tracker:https://github.com/IntroVirt/IntroVirt/issues

If you would like to help:

• Pull Requests:https://github.com/IntroVirt/IntroVirt/pulls
• Contributing Guidelines:https://github.com/IntroVirt/IntroVirt/blob/master/contributing.md

IntroVirt is licensed under the Apache v2.0 License.

Check out ourCan You Hack It?® challenge and test your skills! Submit your score to show us what you’ve got. We have offices across the country and offer competitive pay and outstanding benefits. Join a team that is not only committed to the future of cyberspace, but to our employee’s success as well.

If you’re interested in IntroVirt, you might also be interested in thefollowing projects:

• LibVMI:https://github.com/libvmi/libvmi
• Bitdefender: ttps://github.com/bitdefender
• HVMI:https://github.com/hvmi/hvmi
• libmicrovmi:https://github.com/Wenzel/libmicrovmi