[Qemu-devel] QEMU patch to allow VM introspection via libvmi

[valerio@aimale.com]

All-

I've produced a patch for the current QEMU HEAD, for libvmi to introspect QEMU/KVM VMs.

Libvmi has patches for the old qeum-kvm fork, inside its source tree: https://github.com/libvmi/libvmi/tree/master/tools/qemu-kvm-patch

This patch adds a hmp and a qmp command, "pmemaccess". When the commands is invoked with a string arguments (a filename), it will open a UNIX socket and spawn a listening thread.

The client writes binary commands to the socket, in the form of a c structure:

struct request {
     uint8_t type;   // 0 quit, 1 read, 2 write, ... rest reserved
     uint64_t address;   // address to read from OR write to
     uint64_t length;    // number of bytes to read OR write
};

The client receives as a response, either (length+1) bytes, if it is a read operation, or 1 byte ifit is a write operation.

The last bytes of a read operation response indicates success (1 success, 0 failure). The single byte returned for a write operation indicates same (1 success, 0 failure).
The socket API was written by the libvmi author and it works the with current libvmi version. The libvmi client-side implementation is at:

https://github.com/libvmi/libvmi/blob/master/libvmi/driver/kvm/kvm.c

As many use kvm VM's for introspection, malware and security analysis, it might be worth thinking about making the pmemaccess a permanent hmp/qmp command, as opposed to having to produce a patch at each QEMU point release.

Also, the pmemsave commands QAPI should be changed to be usable with 64bit VM's

in qapi-schema.json

from

---
{ 'command': 'pmemsave',
  'data': {'val': 'int', 'size': 'int', 'filename': 'str'} }
---

to

---
{ 'command': 'pmemsave',
  'data': {'val': 'int64', 'size': 'int64', 'filename': 'str'} }
---

hmp-commands.hx and qmp-commands.hx should be edited accordingly. I did not make the above pmemsave changes part of my patch.

Let me know if you have any questions,

Valerio