Svmidbg: developing a Stealthy Hypervisor based VM Introspection Debugger

Svmidbg will be a debugger using virtual machine introspection (VMI) that tries to be stealthy by leveraging hypervisor technologies to create undetectable breakpoints or as Mathieu Tarral calls them, Advanced SoftHyperBreakpoint. These kinds of hypervisor assisted breakpoints use second level address translation (SLAT), also called extended page tables (EPT) by Intel, or nested page table (NPT) by AMD to hide memory and to trap into the hypervisor (i.e. EPT Hooks). Although, it will not try to hide the hypervisor itself.

By running under Boxy, an extension of the Bareflank hypervisor, it will effectively turn the current running host OS into a VM, and via VMI, allow kernel debugging similar to LiveKD, but unlike LiveKD, the host OS won't know it is being debugged. A companion PC connected via UART will control the debugger.

Svmidbg will also target the Xen hypervisor with Drakvuf and its use of altp2m for stealthy breakpoints. I have worked on this part until now and will reuse work on the GDB protocol for this GSoC. The Boxy integration with LibVMI will be the main work of this GSoC. It will run on Linux (host and target) and on Windows (host with Bareflank only and target).