Virtual Machine Introspection in Malware Analysis – LibVMI

In the last article in this series, we have seen what Virtual Machine Introspection is and how it works in general. Now, in this article, we’ll see how we can set up VMI and what tools to use.

LibVMI is a library written in C which allows users to set up an introspection system of virtual machines under Linux and Windows. It also allows access to a running virtual machine memory and does this by offering several already-made functions for accessing memory using physical or virtual addresses, or even with Kernel symbols. LibVMI even offers access to memory made from a snapshot of a physical memory, which can be especially interesting when doing debugging or forensics.

In addition to memory access, LibVMI supports memory events. These events trigger notifications when a memory region is accessed in read, write or execution mode.

LibVMI was conceived to run under Linux. The most-used platform is Xen, but KVM can be used as well.

Multiple complex levels of abstraction exist when we talk about introspection. Those levels are hopefully handled by LibVMI and are completely transparent for us.

LibVMI offers by default a set of examples with the aim of testing the introspection concept or using them as basis to create a customized introspection system.

The following example allows you to list all running processes on the virtual machine from the hypervisor.

We start by initializing LibVMI contexts (LibVMI instance) which corresponds to the virtual machine on which we are running our program.

After that, initialization of the fields will be different, depending on which operating system we are looking to list the running processes of. In the given example, we consider three types of operating systems: Windows, Linux and FeeBSD.