Using Volatility for Introspection
This post could also be titled "Teaser", part 2 :)
As part of my research at GT, I've been looking at using Volatility to examine the state of running virtual machines. Using PyXa, a wrapper around Bryan Payne's XenAccess library (available in the tools directory of the latest XenAccess release), you can get access to the memory of Xen guest VMs in Python. From there, it's just a small step to create a new address space that Volatility can use to examine virtual machines just as if they were any other memory image.
One application of this is using introspection to find out the state of windows on screen. This has advanced significantly since the last time I mentioned it, and it's now possible to track windows, including their z-order and some on-screen text, in near-real time. To demo this I used Volatility to examine the internal data structures of Win32k.sys and extract the locations and sizes of all visible windows, and then used PyGame to draw them on screen. The script keeps looping and re-drawing, allowing a near real-time view of what's going on inside the guest VM.
Here's a video of it in action. Notice how the reconstructed view updates to match what's actually going on on screen:
Cool, huh? :D
As part of my research at GT, I've been looking at using Volatility to examine the state of running virtual machines. Using PyXa, a wrapper around Bryan Payne's XenAccess library (available in the tools directory of the latest XenAccess release), you can get access to the memory of Xen guest VMs in Python. From there, it's just a small step to create a new address space that Volatility can use to examine virtual machines just as if they were any other memory image.
One application of this is using introspection to find out the state of windows on screen. This has advanced significantly since the last time I mentioned it, and it's now possible to track windows, including their z-order and some on-screen text, in near-real time. To demo this I used Volatility to examine the internal data structures of Win32k.sys and extract the locations and sizes of all visible windows, and then used PyGame to draw them on screen. The script keeps looping and re-drawing, allowing a near real-time view of what's going on inside the guest VM.
Here's a video of it in action. Notice how the reconstructed view updates to match what's actually going on on screen:
Cool, huh? :D
Comments
Nicely done. No - that's just SEXY!
Sip
You could also do this with an interface to Qemu, a physical RAM capture card (like some folks at Rutgers are doing), or anything else that gets continuous access to physical memory :)
Using Volatility (a forensic tool) to VMI is cool idea, and you are giving a practical proof that how far we can get from the combination. Kudos to you, ;)