{"id":13437572,"url":"https://github.com/bitdefender/hvmi","last_synced_at":"2025-04-04T19:13:01.861Z","repository":{"id":38841175,"uuid":"283759384","full_name":"bitdefender/hvmi","owner":"bitdefender","description":"Hypervisor Memory Introspection Core Library","archived":false,"fork":false,"pushed_at":"2024-03-27T15:56:22.000Z","size":14152,"stargazers_count":615,"open_issues_count":3,"forks_count":65,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-04-14T02:19:45.190Z","etag":null,"topics":["exploit","hypervisor","introspection","memory","protection","rootkit"],"latest_commit_sha":null,"homepage":"https://bitdefender.github.io/hvmi-blog/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitdefender.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-07-30T11:51:57.000Z","updated_at":"2024-04-05T11:14:18.000Z","dependencies_parsed_at":"2024-01-23T18:13:26.531Z","dependency_job_id":"bb3cedd4-fc56-46fc-b62f-8ec5b898e4c1","html_url":"https://github.com/bitdefender/hvmi","commit_stats":null,"previous_names":["hvmi/hvmi"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitdefender%2Fhvmi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitdefender%2Fhvmi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitdefender%2Fhvmi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitdefender%2Fhvmi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitdefender","download_url":"https://codeload.github.com/bitdefender/hvmi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247234923,"owners_count":20905854,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","hypervisor","introspection","memory","protection","rootkit"],"created_at":"2024-07-31T03:00:58.402Z","updated_at":"2025-04-04T19:13:01.832Z","avatar_url":"https://github.com/bitdefender.png","language":"C","readme":"# Hypervisor Memory Introspection\n\n![logo](docs/chapters/images/hvmi-logo-main-color.png)\n\nHVI stands for Hypervisor Introspection. The term is used interchangeably with HVMI, which is a bit more specific, and stands for Hypervisor Memory Introspection.\n\nVirtual Machine Introspection is defined as the technique of analyzing the state and behavior of a guest virtual machine from outside of it. In addition, Introspection can also leverage virtualization extensions to provide security.\n\nThe main purpose of this project is to provide unmatched security from outside the virtual machine, by leveraging the hardware isolation provided by Intel VT-x. The main categories of attacks HVI prevents are:\n\n- Binary exploits inside protected processes\n- Code and data injection techniques inside protected processes\n- Function hooks inside protected processes, on designated system DLLs\n- Rootkits (various techniques are blocked, such as inline hooks inside the kernel or other drivers, SSDT hooks, Driver-object hooks, system register modifications, etc.)\n- Kernel exploits\n- Privilege escalation\n- Credentials theft\n- Deep process introspection (prevents process creation if the parent process has been compromised)\n- Fileless malware (powershell command line scanning)\n\nFor more details check out the [HVMI specification](http://hvmi.readthedocs.io) and the [HVMI blog](https://bitdefender.github.io/hvmi-blog/).\n\n## Supported hypervisors\n\nHVMI can work on any hypervisor, as long the proper API is provided (which is documented [here](https://hvmi.readthedocs.io/en/latest/chapters/1-overview.html#prerequisites-from-the-hv)). Currently, it has been integrated and tested with the following hypervisors:\n* [Napoca Hypervisor](https://github.com/bitdefender/napoca) - Bitdefender's bare-metal hypervisor for Intel CPUs\n* [Xen](https://xenbits.xen.org) - the famous open source hypervisor\n* [KVM](https://www.linux-kvm.org/page/Main_Page) - the Linux Kernel Virtual Machine\n\n## Repository structure\n\n- **introcore** - the introcore source code and header files\n- **include** - the public header files and headers shared between multiple projects\n- **cami** - the [Guest support mechanism](#Guest-support-mechanism) files\n- **exceptions** - the [Exception](#Exceptions) files\n- **agents** - the Windows special agents project files\n- **docs** - the documentation\n- **build_disasm** - the files used to build the [bddisasm](https://github.com/bitdefender/bddisasm) dependency\n- **deserialize** - the deserializer scripts, used to extract useful information from serialized alerts\n- **Doxygen** - the Doxygen settings\n- **windows_build** - the scripts used during the [Windows build](#Windows-build)\n- **daemon** - an integration example for Xen and KVM\n\n## Quick start guide\n\n- [HVMI demo setup on Xen](https://bitdefender.github.io/hvmi-blog/2020/08/10/getting-started-on-Xen.html).\n- [HVMI demo setup on KVM](https://bitdefender.github.io/hvmi-blog/2020/08/10/getting-started-on-kvm.html).\n- [Adding custom exceptions](https://bitdefender.github.io/hvmi-blog/2020/08/19/exceptions.html).\n\n## Checkout\n\nGet Introcore and all the dependencies by running:\n\n```bash\ngit clone --recurse-submodules https://github.com/bitdefender/hvmi.git\n```\n\nThis will clone the HVMI repository and the [bddisasm](https://github.com/bitdefender/bddisasm) submodule.\n\n## Build\n\nIntrocore can be built both as a Windows DLL, and as a Linux library. Only the 64-bit configuration is supported.\n\n### Linux build\n\nTo build the project on Linux you need:\n\n- gcc \u003e= 7.0\n- cmake \u003e= 3.13\n- make\n\nTo integrate the library (`libintrocore.so`) you can use the `pkg-config` file (`introcore.pc`) that is generated by `cmake`.\n\nBuilding Introcore is done by running cmake from the root of the repository:\n\n```bash\n# generate configuration\ncmake -H. -G\u003cgenerator\u003e -B\u003cbuild directory\u003e -DCMAKE_BUILD_TYPE=\u003cbuild type\u003e -DCMAKE_INSTALL_PREFIX=\u003cinstall prefix directory\u003e -DCMAKE_LIBRARY_OUTPUT_DIRECTORY=\u003cbinary output directory\u003e -DCMAKE_TOOLCHAIN_FILE=\u003ctoolchain\u003e\n```\n\nThe default value of `CMAKE_INSTALL_PREFIX` is `/usr/local/`.\nThe default value of `CMAKE_LIBRARY_OUTPUT_DIRECTORY` is `$project_dir/bin`.\n\n#### Build for Debug\n\n```bash\ncmake -B_build -DCMAKE_BUILD_TYPE=Debug\ncd _build\nmake\n```\n\n#### Build for Release\n\n```bash\ncmake -B_build -DCMAKE_BUILD_TYPE=Release\ncd _build\nmake\n```\n\n#### Install\n\n```bash\n# install the introcore library (debug)\ncd _build\nmake install\n```\n\nThis builds the [bddisasm](https://github.com/bitdefender/bddisasm) dependency and then **libintrocore**, the [exception](#Exceptions) and the [guest support mechanism](#Guest-support-mechanism) files. Use `make introcore` to build just **libintrocore**. The resulting binaries will be in `bin/x64/Debug` or `bin/x64/Release`.\n\n#### Generate an SDK\n\nGenerating an SDK that will contain **libintrocore** Debug and Release versions, and the public header files is done with:\n\n```bash\nmkdir _build\ncd _build\n\ncmake .. -B. -DCMAKE_BUILD_TYPE=Debug\nmake\n\ncmake .. -B. -DCMAKE_BUILD_TYPE=Release\nmake\n\nmake package\n```\n\nThis creates a ZIP file in the root of the repo that contains the latest **libintrocore** you’ve built, together with the header files from the `include/public` directory.\n\n### Windows build\n\nTo build the project on Windows you need:\n\n- [Visual Studio 2019](https://visualstudio.microsoft.com/vs/) with the **Desktop development with C++ workload**\n- [Windows SDK 10.0.18362.0](https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/)\n- [python 3.6 or newer](https://www.python.org/downloads/release/python-360/)\n\nWhen you first open the `hvmi.sln` file, Visual Studio should prompt you to install any missing components. Building the introcore can be done directly from Visual Studio or with the `build.cmd` script:\n\n```bash\n# build for Debug\nbuild.cmd Debug\n\n# build for Release\nbuild.cmd Release\n```\n\nThis will create **introcore.dll** and **introcore.pdb** in `bin/x64/Debug` or `bin/x64/Release`.\n\nCMake is not supported for Windows builds.\n\n## Documentation\n\nIntrocore comes with Doxygen code documentation, and a specification built with [Sphinx](https://www.sphinx-doc.org/en/master/).\n\n### Doxygen\n\nFor generating the Doxygen documentation on Linux, use:\n\n```bash\ncmake -B_build\ncd _build\nmake doxy\n```\n\nFor Windows, use:\n\n```bash\nmake_doxy.cmd\n```\n\nOr invoke Doxygen directly:\n\n```bash\ndoxygen Doxygen/Doxyfile\n```\n\nThis assumes that you have [Doxygen](https://www.doxygen.nl/index.html) installed and in your path.\n\nThe Doxygen documentation will then be found in `docs/_static/Doxygen/html`.\n\n## Specification\n\nTo build the specification you need:\n\n- Python 3\n- [Sphinx](https://www.sphinx-doc.org/en/master/)\n- [sphinx-bootstrap-theme](https://github.com/ryan-roemer/sphinx-bootstrap-theme)\n\nTo generate the HTML version of the documentation:\n\n```bash\ncd docs\nmake html\n```\n\nThis will also build the Doxygen documentation. The result will be in `docs/_build/html`.\n\n## Exceptions\n\nIntrocore has an exception mechanism, which is used to whitelist legitimate accesses to protected structures.\n\nSample exception files that should work for out-of-box installations of Windows 7 (SP1 and SP2) and Windows 10 1809 (RS5) are included in the `exceptions` directory.\n\nTo generate the exceptions binary, use:\n\n```bash\ncmake -B_build\ncd _build\nmake exceptions\n```\n\nFor more information see [exceptions](exceptions/README.md).\n\n## Guest support mechanism\n\nIntrocore needs to know certain information in order to properly hook and protect an operating system (for example, the layout of certain kernel structures, patterns for finding functions inside the guest memory, etc). These information are included in a CAMI data base file. Sample files that offer support for Windows 7 (SP1 and SP2), Windows 10 1809 (RS5), Ubuntu 18.04, and CentOS 8 can be found in the `cami` directory.\n\nTo generating the cami binary, use:\n\n```bash\ncmake -B_build\ncd _build\nmake cami\n```\n\nFor more information see [CAMI](cami/README.md).\n\n## Contacting us\n\nThere are several ways to contact us:\n\n- [The public HVMI Slack](https://kvm-vmi.slack.com) - [join here](https://kvm-vmi.herokuapp.com) the public Slack to discuss ideas publicly, or privately, with both Bitdefender developers and other members of the community\n- Bitdefender HVMI OSS team contact - hvmi-oss@bitdefender.com - contact Bitdefender folks directly regarding any issue that is not well suited for public Slack discussions\n- HVMI security - hvmi-security@bitdefender.com - report security issues and vulnerabilities; we kindly ask that you follow the guideline described [here](SECURITY.md)\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitdefender%2Fhvmi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitdefender%2Fhvmi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitdefender%2Fhvmi/lists"}