This project adds virtual machine introspection to the KVM hypervisor.
Virtual Machine Introspection is a technology that aims to understand the guest's execution context, solely based on the VM's hardware state, for various purposes:
- Debugging
- Malware Analysis
- Live-Memory Analysis
- OS Hardening
- Monitoring
- Fuzzing
See the presentations section for more information.
This project is divided into 4 components:
- kvm: linux kernel with vmi patches for KVM
- qemu: patched to allow introspection
- nitro(legacy): userland library which receives events, introspects the virtual machine state, and fills the semantic gap
- libvmi: virtual machine instrospection library with unified API across- Xenand- KVM
At the moment, 2 versions of VMI patches are available for QEMU/KVM
in this repository:
Follow the Setup guide
- Bringing Commercial Grade Virtual Machine Introspection to KVM
- KVM Forum 2019: Advanced VMI on KVM - A Progress Report
- Hack.lu 2019: Leveraging KVM as a Debugging Platform
- Advanced VMI on KVM: A Progress Report
The legacy VMI system contained in this repo (Nitro) is based on Jonas Pfoh's work: