rVMI: provide full system analysis
rVMI is a debugger on steroids. It leverages Virtual Machine Introspection (VMI) and memory forensics to provide full system analysis. This means that an analyst can inspect userspace processes, kernel drivers, and pre-boot environments in a single tool.
It was specifically designed for interactive dynamic malware analysis. rVMI isolates itself from the malware by placing its interactive debugging environment out of the virtual machine (VM) onto the hypervisor-level. Through the use of VMI, the analyst still has full control of the VM, which allows her to pause the VM at any point in time and to use typical debugging features such as breakpoints and watchpoints. In addition, rVMI provides access to the entire Rekall feature set, which enables an analyst to inspect the kernel and its data structures with ease.
NOTE: rVMI will only run on Intel CPUs with virtualization extensions. Additionally, do not try to run rVMI within a virtualized environment. As rVMI depends on hardware virtualization, it will not run in an already virtualized environment.
Kernel Module Persistence
This will not install the kernel modules in a persistent manner (it will not survive a reboot). In order to make these changes persistent, you must replace your KVM modules on the disk. Once built, the kernel modules can be found here:
These modules must be copied to the proper location on your machine. This can be found by running:
$ modinfo kvm
Copy the kernel modules to the location specified by the “filename” output of the above command.
Copyright 2017 FireEye, Inc. All Rights Reserved.