vmitools Setup Instructions

For my thesis work I study virtualization and I was interested in trying out the vmitools project with a Windows 7 guest. Unfortunately I found the installation instructions a little difficult but I eventually muddled my way through. Below are my instructions but comment up if you need any clarifications!

  1. Install Ubuntu 12.04.
  2. Install Xen.
    There are very good instructions by David Euler on his tutorial Setup your cloud server in 3 minutes with Xen 4.1 on Ubuntu 11.10.
  3. Download and compile vmitools from git.
    I checked out the version from the git repository as it seemed more current and adequately stable. The installation instructions in the README were mostly correct but I had to install a few extra packages:
    sudo apt-get install automake libtool checkThe basic procedure was what you might expect:
    ./autogen.sh
    ./configure
    makeI didn’t install the tools and this seems fine for now.
  4.  Create a Xen guest with whatever Windows OS you want.
    The Ubuntu supported Virtual Machine Manager GUI is fantastic and I didn’t need instructions. I used Windows 7 SP1 and named it win7-i386-xen. This name is important for later so make sure you don’t use any weird characters that don’t work easily with your shell.
  5. Collect the configuration constants.
    This is where I was in the weeds for a few whiles. There are many methods for getting the offsets but I found using WinDbg to be the quickest. I would have preferred to use the scripts included in the git repo but I couldn’t get them to work nearly as fast.
    Install WinDbg using the instructions here
    .Turn on debug in your Windows 7 instance that you installed in step 4. One easy way to do this is to turn on the guest, open a cmd prompt with administrative privileges, and type

    bcdedit /set debug on

    Then reboot.

    Open WinDbg and create a local debug session as shown here. Make sure you open WinDbg with Administrative privileges (on the right click menu) or else this won’t work!

    Configure the WinDbg symbol stores (File->Symbol File Path), make sure to select reload:

    srv*C:\symbols*http://msdl.microsoft.com/downloads/symbols

    Dump the EPROCESS table and record the entries for UniqueProcessId and ActiveProcessLinks.

    dt _eprocess

    For me UniqueProcessId was oxb4 and ActiveProcessLinks was 0xb8. Reload the symbol store (!reload) if this doesn’t work.

    Dump the KPROCESS table and record the entry for DirectoryTableBase.

    dt _kprocess

    For me DirectoryTableBase was ox18.

    Create the configuration file in ~/etc/libvmi.conf, substituting my values with the values you just recorded and the name of the vm you created in step 4:

    win7-i386-xen {
        ostype     = "Windows";
        win_tasks  = 0xb8;
        win_pdbase = 0x18;
        win_pid    = 0xb4;
    }
  6. Create the libvmi configuration file.
    Create the configuration file in ~/etc/libvmi.conf, substituting my values with the values you just recorded and the name of the vm you created in step 4:

    win7-i386-xen {
        ostype     = "Windows";
        win_tasks  = 0xb8;
        win_pdbase = 0x18;
        win_pid    = 0xb4;
    }
  7. Test the installation with the process list example.
    cd your host command line into in the vmitools/examples directory. Then run:

    sudo ./process-list win7-i386-xen

    You should get a list of active process id’s in the guest. You can verify these by opening the Windows Process Explorer (ctrl-alt-delete in the Virtual Machine Manager GUI Send Key menu) and you may need to view->select columns and select “pid” in the Process Explorer.

CONGRATULATIONS! If you made it this far you probably deserve a big cup of coffee. I hope that this was helpful. If it was, please let me know below.

Links:

This entry was posted in Projects and tagged , , , . Bookmark the permalink.

One Response to vmitools Setup Instructions

  1. Tamas Lengyel says:

    Just FYI, when using LibVMI through pyvmi and Volatility you don’t need to find any of the base addresses, or put anything into libvmi.conf. So if you just want a way to peak inside the VM, it might be an easier way:

    Volatility-2.0.1# python vol.py -l vmi://windows7-sp1 –profile=Win7SP1x86 pslist

Leave a Reply