Virtual machine introspection
 | This article, Virtual machine introspection, has recently been created via the Articles for creation process. Please check to see if the reviewer has accidentally left this template after accepting the draft and take appropriate action as necessary.
Reviewer tools: Inform author |
Template:New unreviewed article
Virtual machine introspection (VMI) is a technique for monitoring the runtime state of a system-level virtual machine, which is helpful for debugging or forensic analysis.[1][2]
VMI tools may be located inside or outside the virtual machine and act by tracking the events (interrupts, memory writes, and so on) or sending the requests to the virtual machine. Virtual machine monitor usually provides low-level information like raw bytes of the memory. Converting this low-level view into something meaningful for the user is known as the semantic gap problem.
VMI within the virtual machine
Programs running inside VM may provide information about other processes. This information may be sent through network interface or some virtual devices like serial port. The examples of in vivo introspection programs are WinDbg[3] or GDB[4] servers that interact with the remote debugger.
VMI outside the virtual machine
VMI tools may be implemented within the virtual machine monitor[5] or as a separate programs[6].
Data extraction from the virtual machine memory sometimes is performed via Volatility framework[7].
References
- ^ https://github.com/libvmi/libvmi
- ^ https://link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_647 Encyclopedia of Cryptography and Security: Virtual Machine Introspection
- ^ https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remode-debugging-using-windbg
- ^ https://sourceware.org/gdb/onlinedocs/gdb/Server.html
- ^ https://wiki.xenproject.org/wiki/Virtual_Machine_Introspection VMI in Xen
- ^ https://github.com/Cisco-Talos/pyrebox
- ^ https://github.com/volatilityfoundation/volatility