r2vmi
r2vmi copied to clipboard
Wenzel
Hypervisor-Level Debugger based on Radare2 / LibVMI, using VMI IO and debug plugins
Hi I try set some function(ex : NtWriteFile) as breakpoint After dc, target machine going blue screen What's the reason?
We will have to understand how `radare2` debugger internals works to figure out how we should implement some specific features of `r2vmi`
At the moment we rely on parsing LibVMI's JSON rekall profile and insert the entries into radare's flagspace. This will only bring us kernel symbols, and it needs Rekall in...
LibVMI only allows to set a memory access event on an already mapped page, since it needs access to the page frame
Currently we attach to a process by listening to CR3 events. We should enumerate the threads, pick the first one, find the thread context and read the value of `rip`...
LibVMI caches the data after a read. We need to flush the caches when the VM has been running and then paused. `__wait` is a good start.
To be really useful, we need to be able to attach to a new process being created, and break on the entrypoint. This address should be in the `Win32StartAddress` field...
issue is opened on `r2pipe`: https://github.com/radare/radare2-r2pipe/issues/54