--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To post to this group, send email to vmit...@googlegroups.com.
To unsubscribe from this group, send email to vmitools+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/vmitools?hl=en.
I was wonder were you able to use libvmi in domU to access another domU memory? I am currently working on a similar issue where i want Domu to have the ability to access the memory of another domu and perform analysis without the use of Dom0.
--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
Visit this group at http://groups.google.com/group/vmitools.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/gyc9kqSExaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/gyc9kqSExaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.
Ahhh yes thats a great idea Thank you so much for the help
On Fri, Apr 11, 2014 at 2:33 AM, Tamas Lengyel <tamas.k...@gmail.com> wrote:
Just boot Xen with flask_enforcing=0 and use LibVMI from the domU. xl dmesg will show you which hypercalls would have been denied by your policy.
On Thu, Apr 10, 2014 at 8:16 PM, Tawfiq Shah <tawfi...@gmail.com> wrote:
Hey guysI was wondering how can one find out which of xen hypercalls does libvmi use in-order to extract the memory dump? I have installed xsm and i am trying to create an allow policy through the security class that will give a specific domU access to other guesOs memory?Thank you for the help
On Monday, March 31, 2014 1:42:37 AM UTC-7, Tamas K Lengyel wrote:Correct, it is possible to do domU to domU inspection, or even domU to dom0. You need at least Xen 4.3 with XSM enabled and a policy where such inspection is allowed. The domain where you are inspecting from has to be paravirt as HVM domains are missing critical hypercalls. Furthermore, the linux kernel in the domU you are running libvmi in has to be at least 3.8 (or apply my patch https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=30d4b180e20c081f435143f8bc211c66a930608a). Lastly, Xenstore has its own access control mechanism so you either have to enable your domain to be able to access xenstore, or simply ignore xenstore (its only used to store the name of the VM anyway). You can compile LibVMI with the flag --without-xenstore for this reason.I recommend reading http://wiki.xen.org/wiki/Xen_Security_Modules_:_XSM-FLASK.
On Mon, Mar 31, 2014 at 4:37 AM, Bryan D. Payne <br...@thepaynes.cc> wrote:I was wonder were you able to use libvmi in domU to access another domU memory? I am currently working on a similar issue where i want Domu to have the ability to access the memory of another domu and perform analysis without the use of Dom0.
I know that this is possible, but I believe it requires some newish versions of Xen and Linux to make it happen. I believe Tamas and/or Steve were working on this previously, so perhaps they can chime in with the details.-bryan--
You received this message because you are subscribed to the Google Groups "vmitools" group.To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
To post to this group, send email to vmit...@googlegroups.com.
Visit this group at http://groups.google.com/group/vmitools.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+unsubscribe@googlegroups.com.
To post to this group, send email to vmit...@googlegroups.com.
Visit this group at http://groups.google.com/group/vmitools.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/gyc9kqSExaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+unsubscribe@googlegroups.com.
--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/gyc9kqSExaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.
To post to this group, send email to vmit...@googlegroups.com.
Visit this group at http://groups.google.com/group/vmitools.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "vmitools" group.
--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/gyc9kqSExaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.
My friend got Fedora+KVM+libVMI in his desktop. Then, he used a manager or monitoring VM (dom0 in Xen) to access (with the helps by libVMI) the main memory of a monitored VM (domU in Xen) to get some information he wanted.
My friend got Fedora+KVM+libVMI in his desktop. Then, he used a manager or monitoring VM (dom0 in Xen) to access (with the helps by libVMI) the main memory of a monitored VM (domU in Xen) to get some information he wanted.That is still somewhat misleading and confusing. KVM is a type-2 hypervisor, aka. hosted hypervisor. So yes, with KVM normally you would do VMI from the host which has the KVM kernel module loaded and is running in VMX root mode into the domain running in VMX non-root mode. While that looks somewhat the same as doing it from dom0 on Xen, it actually is quite different. Dom0 on Xen is running in VMX non-root mode, thus it really is just a guest. On KVM, the host machine is _not_ a virtual machine. In the context of doing domU to domU introspection means doing introspection when both guests are running in VMX non-root mode. What you have described is not that from the looks of it.
--
--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
--
--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/gyc9kqSExaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "vmitools" group.
--
You received this message because you are subscribed to a topic in the Google Groups "vmitools" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vmitools/gyc9kqSExaI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vmitools+u...@googlegroups.com.
Running xl dmesg in Dom0 will also provide indication for any hypercalls which are being denied by the current XSM policy
Steve
It has been working from pv domUs for a couple years now. You just need xsm enabled on xen.
$ sudo xl list
Name ID Mem VCPUs State Time(s)
(null) 0 8188 1 -b---- 232.1
ubuntu-hvm 1 2048 1 -b---- 14.6
ubuntu-pv2 2 1024 1 r----- 17.8
win7 4 1024 1 ------ 2369.2
$ process-list win7
VMI_ERROR: Could not find a live guest VM or file to use.
VMI_ERROR: Opening a live guest VM requires root access.
VMI_ERROR: Failed to identify correct mode.
Failed to init LibVMI library.
$win-guid domid 4
VMI_ERROR: --requesting PA [0x1040c7000] beyond max physical address [0xff000000]
VMI_ERROR: paddr: 1040c6000, length 1000, vmi->max_physical_address ff000000
VMI_ERROR: create_new_entry failed
$win-guid domid 4
VMI_ERROR: --requesting PA [0x1040c7000] beyond memsize [0x40043000]
VMI_ERROR: paddr: 1040c6000, length 1000, vmi->size 40043000
VMI_ERROR: create_new_entry failed
VMI_ERROR: --requesting PA [0x79734000] beyond memsize [0x40043000]
VMI_ERROR: paddr: 79733000, length 1000, vmi->size 40043000
VMI_ERROR: create_new_entry failed
VMI_ERROR: --requesting PA [0x8ff77000] beyond memsize [0x40043000]
VMI_ERROR: paddr: 8ff76000, length 1000, vmi->size 40043000
VMI_ERROR: create_new_entry failed
VMI_ERROR: --requesting PA [0xadc54000] beyond memsize [0x40043000]
VMI_ERROR: paddr: adc53000, length 1000, vmi->size 40043000
VMI_ERROR: create_new_entry failed
VMI_ERROR: --requesting PA [0xc948d000] beyond memsize [0x40043000]
VMI_ERROR: paddr: c948c000, length 1000, vmi->size 40043000
VMI_ERROR: create_new_entry failed
$ sudo xl dmesg |grep avc |audit2allow
#============= dom0_t ==============
allow dom0_t domU_t:domain setvcpuextstate;
allow dom0_t domU_t:domain2 cacheflush;
allow dom0_t domU_t:mmu updatemp;
allow dom0_t self:event { bind create };
allow dom0_t unlabeled_t:domain { setdomainmaxmem pause getdomaininfo getscheduler max_vcpus getvcpuextstate setaffinity getvcpuinfo destroy getaffinity unpause getaddrsize };
allow dom0_t unlabeled_t:domain2 { setscheduler set_max_evtchn set_cpuid settsc setclaim cacheflush };
allow dom0_t unlabeled_t:event { status create send };
allow dom0_t unlabeled_t:grant { setup map_write unmap map_read };
allow dom0_t unlabeled_t:hvm { setparam hvmctl trackdirtyvram gethvmc nested sethvmc pciroute getparam pcilevel irqlevel cacheattr };
allow dom0_t unlabeled_t:mmu { map_write stat adjust physmap map_read };
allow dom0_t unlabeled_t:shadow enable;
#============= domU_t ==============
allow domU_t dom0_t:domain getdomaininfo;
allow domU_t domU_t_self:domain getdomaininfo;
allow domU_t security_t:security check_context;
allow domU_t unlabeled_t:domain { getdomaininfo pause destroy };
allow domU_t unlabeled_t:hvm { gethvmc getparam };
allow domU_t unlabeled_t:mmu { stat map_read };
allow domU_t xen_t:xen readconsole;
#============= unlabeled_t ==============
allow unlabeled_t dom0_t:event send;
allow unlabeled_t self:event bind;
allow unlabeled_t self:hvm { setparam getparam };
allow unlabeled_t self:mmu { adjust physmap };
...
--