Ever wanted to know what's going on inside that KVM virtual machine?
Wanna use those root privileges for fun and profit?
This POC showcases accessing a KVM-powered virtual machine from the kernel using nothing but ftrace (or any other hooking mechanism).
The kernel module reads some of the running machine's registers and scans it's memory for a given byte sequence.
- Run the linux host and the VM inside.
make runand see it can't find the search string.- Write the search string to the inner VM's console.
- Re-run the module and see it finds the string successfully! (if the demo gods will allow it)
- GCC and Make.
- A linux host running a KVM virtual machine (e.g. with QEMU).
In order to run the POC with the Makefile:
- An SSH connection to the host.
The following variables are configurable in the Makefile:
| NAME | The output kernel module's name |
| KDIR | The kernel source directory to build with
(usually /lib/modules/$(shell uname -r)/build) |
| REMOTE | The remote URI for SSH commands
(in the format of user@address) |
The byte sequence the module searches for can be changed in main.c via:
#define SEARCH_BYTES "..."Build the kernel module (it will be in build/$(NAME).ko):
make buildBuild and run the module on the remote host:
make
# or explicitly:
make runThe Makefile contains some more goodies if you're interested :)
You're welcome to read through the small research documentation I wrote.