New QEMU 2.4.0.1 patch for libvmi to work with qemu/kvm VMs

[Valerio Aimale]

All,

I have refurbished the QEMU patch for libvmi 0.10.1 to introspect QEMU/kvm virtual machines ( see attached).

Once QEMU is patched and compiled, libvmi can introspect VMs via the kvm UNIX socket driver. It also work with pyvmi, and volatility with the libvmi volatility address space python driver (and a rekal profile). Tested with a Windows 10 VM and libvmi/volatility/rekal profile.

Hope it will be useful to others,

Valerio

[Valerio Aimale]

I forgot to provide som instructions on how to use the patch:

install libvmi 0.10.1

wget http://wiki.qemu-project.org/download/qemu-2.4.0.1.tar.bz2

tar xvjf http://wiki.qemu-project.org/download/qemu-2.4.0.1.tar.bz2

cd qemu-2.4.0.1

patch -p1 < ~//kvm-qemu-2.4.0.1-libvmi.patch

CFLAGS=-O3 -march=native CXXFLAGS=-O3 -march=native ./configure --enable-numa --enable-vhdx --enable-libssh2 --enable-libusb --enable-lzo --enable-linux-aio --enable-cap-ng --enable-attr --enable-uuid --enable-kvm --enable-curl --enable-vnc-png --enable-vnc-jpeg --enable-curses --enable-vnc-sasl --enable-vnc-tls --enable-vnc --enable-sdl --disable-xen

make install
create a libvirt virtual machine called Windows10
add a stanza to /etc/libvmi/libvmi.conf

Windows10 {
    ostype = "Windows";
    sysmap = "/profiles/rekal/70194f2219074ecf9d1ec501e4637d2d1.json";
}

python volatility-win10tp/vol.py -l vmi://Windows10 --profile=Win10x64 pslist

etc.

O

[Bilal Arif]

When I apply patch the contain  "(Stripping trailing CRs from patch; use --binary to disable.)" like shown below, could you put something to make us understand . this is my first time i am looking this while applying patch.

robo@robo:~/Downloads/qemu-2.4.0.1$ patch -p1 < /home/robo/Downloads/kvm-qemu-2.4.0.1-libvmi.patch
(Stripping trailing CRs from patch; use --binary to disable.)
patching file hmp.c
(Stripping trailing CRs from patch; use --binary to disable.)
patching file hmp-commands.hx
(Stripping trailing CRs from patch; use --binary to disable.)
patching file hmp.h
(Stripping trailing CRs from patch; use --binary to disable.)
patching file Makefile.target
(Stripping trailing CRs from patch; use --binary to disable.)
patching file memory-access.c
(Stripping trailing CRs from patch; use --binary to disable.)
patching file memory-access.h
(Stripping trailing CRs from patch; use --binary to disable.)
patching file qapi-schema.json
(Stripping trailing CRs from patch; use --binary to disable.)
patching file qmp-commands.hx

[Bilal Arif]

First I install KVM with apt-get
and win7 with virt-manager.

then according to this link:
https://github.com/valerioa/libvmi/blob/master/tools/qemu-kvm-patch/README
I install QEMU from source after patching (patch i got from https://groups.google.com/forum/#!topic/vmitools/zYLtPBCcR8o )
and then i install libvmi from source. according to below output my patch is not working . i don't know what is wrong.

robo@robo:~/libvmi-master/examples$ sudo ./dump-memory win7 win77.dd
[sudo] password for robo:
LibVMI Version 0.11.0
--found KVM
LibVMI Mode 4
--completed driver init.
--got id from name (win7 --> 6)
**set image_type = win7
--libvirt version 1002002
--qmp: virsh qemu-monitor-command win7 '{"execute": "pmemaccess", "arguments": {"path": "/tmp/vmiqO0Cgg"}}'
--kvm: didn't find patch, falling back to slower native access
**set allocated_ram_size = 80000000, max_physical_address = 0x80000000
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "info registers"}}'
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "info registers"}}'
**set pae = 1
**set pse = 1
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "info registers"}}'
**set lme = 0
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "info registers"}}'
**PAE paging
**sanity checking cr3 = 0x0000000000185000
--succesfully completed architecture init.
--MEMORY cache set 0x0
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "xp /1024wx 0x0"}}'
--MEMORY cache set 0x1000
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "xp /1024wx 0x1000"}}'
--MEMORY cache set 0x2000
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "xp /1024wx 0x2000"}}'
--MEMORY cache set 0x3000
--MEMORY cache set 0x9000
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "xp /1024wx 0x9000"}}'
.
.
.
.
--qmp: virsh qemu-monitor-command win7 '{"execute": "human-monitor-command", "arguments": {"command-line": "xp /1024wx 0x7fffe000"}}'
--MEMORY cache set 0x7ffff000
VMI_ERROR: --requesting PA [0x80000000] beyond max physical address [0x80000000]
VMI_ERROR:     paddr: 7ffff000, length 1000, vmi->max_physical_address 80000000
VMI_ERROR: create_new_entry failed

On Monday, October 12, 2015 at 11:25:36 PM UTC+5, Valerio Aimale wrote:

[Hardik Gohel]

Hello I am trying to install kvm patch but it shows above error. 

Libvirt version is 1.3.1, libyajl.s0.2.1.0 ,Ubuntu 16.04.1 LTS and QEMU emulator version 2.5.0

patch: **** Only garbage was found in the patch input for KVM patch

I tried following showed at https://github.com/libvmi/libvmi/tree/master/tools/qemu-kvm-patch

$ tar zxvf qemu-kvm-0.14.0.tar.gz
$ cd qemu-kvm-0.14.0
$ patch -p1 < /home/user/kvm-physmem-access_0.14.0.patch

Well I've tried other patches available on github but its not working.