Wenzel

FROM ubuntu:16.04

# set non interactive only during build
ARG DEBIAN_FRONTEND=noninteractive

RUN apt-get update && \
    apt-get install -y \
        python3-guestfs python3-docopt wget ipython3 linux-image-generic

WORKDIR /root

Wenzel

import os
import sys
import stat
import logging
import libvirt
from tempfile import TemporaryDirectory, NamedTemporaryFile
from rekall import plugins, session

def extract_config(ram_dump):
    home = os.getenv('HOME')

Wenzel

GRUB_CMDLINE_LINUX="earlyprintk=xen"
GRUB_CMDLINE_XEN_DEFAULT="com1=115200,8n1 console=com1 loglvl=all guest_lvl=all"
GRUB_TERMINAL="serial"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

Wenzel

# kdesrc-build running: 'make' '-j8'
# from directory: /work/build/kdesupport/qca
[  2%] Generating qca_core.moc
[  2%] Generating __/include/QtCrypto/moc_qca_safetimer.cpp
[  0%] Generating qca_cert.moc
[  2%] Generating qca_keystore.moc
[  2%] Generating qca_default.moc
[  2%] Generating qca_publickey.moc
[  3%] Generating qca_safetimer.moc
[  3%] Generating qca_securelayer.moc

Wenzel

[ 39%] Generating moc_ringwatch.cpp
[ 40%] Generating moc_mykeystorelist.cpp
[ 40%] Generating moc_mymessagecontext.cpp
Scanning dependencies of target qca-gnupg
[ 41%] Building CXX object plugins/qca-gnupg/CMakeFiles/qca-gnupg.dir/qca-gnupg.cpp.o
In file included from /usr/include/c++/7.2.1/x86_64-pc-linux-gnu/bits/os_defines.h:39:0,
                 from /usr/include/c++/7.2.1/x86_64-pc-linux-gnu/bits/c++config.h:533,
                 from /usr/include/c++/7.2.1/type_traits:38,
                 from /usr/include/qt/QtCore/qglobal.h:45,
                 from /usr/include/qt/QtCore/qchar.h:43,

Wenzel

2018/04/20 16:00:26 [INFO] Packer version: 1.2.2
2018/04/20 16:00:26 Packer Target OS/Arch: linux amd64
2018/04/20 16:00:26 Built with Go Version: go1.10
2018/04/20 16:00:26 Detected home directory from env var: /home/tarrma
2018/04/20 16:00:26 Using internal plugin for amazon-chroot
2018/04/20 16:00:26 Using internal plugin for file
2018/04/20 16:00:26 Using internal plugin for lxc
2018/04/20 16:00:26 Using internal plugin for oracle-classic
2018/04/20 16:00:26 Using internal plugin for triton
2018/04/20 16:00:26 Using internal plugin for cloudstack

Wenzel

#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>
#include <stdio.h>
#include <inttypes.h>
#include <signal.h>
#include <unistd.h>

Wenzel

#!/usr/bin/env python3

"""

Usage:
  bug_sstep.py [options] <vm_name> <symbol>

Options:
  -h --help     Show this screen.
  --sstep       Use singlestepping instead of emulation

Wenzel

e dbg.hwbp=true
echo printing 10 opcodes
pd 10
echo setting breakpoint on next opcode
so 1
db $$
echo printing 10 opcodes, with breakpoint
pd 10
echo continue execution
dc

Wenzel

/* The LibVMI Library is an introspection library that simplifies access to
 * memory in a target virtual machine or in a file containing a dump of
 * a system's physical memory.  LibVMI is based on the XenAccess Library.
 *
 * Author: Tamas K Lengyel (tamas.lengyel@zentific.com)
 *
 * This file is part of LibVMI.
 *
 * LibVMI is free software: you can redistribute it and/or modify it under
 * the terms of the GNU Lesser General Public License as published by the