Fork me on GitHub
S3

Actaeon

Hypervisors Hunter



Intro

Actaeon is a tool to perform memory forensics of virtualization environments. Starting from a physical memory dump, Actaeon can achieve three important goals: 1) locate any Hypervisor (virtual machine monitor) that uses the Intel VT-x technology, 2) detect and analyze nested virtualization and show the relationships among different hypervisors running on the same machine, and 3) provide a transparent mechanism to recognize and support the address space of the virtual machines.
Actaeon consists of three components:

  • - hyperls: a Volatility plugin to list the hypervisors in a memory dump and print several info about them.
  • - A patch to Volatility to allow other plugins and commands to be applied to each guest operating system.
  • - A VMCS layout dumper, based on the HyperDbg code

Actaeon adopts a hypervisor-agnostic approach, based on locating the VMCS data structure in memory. Thus, it should be able to detect any hypervisor (benign or malicious) that uses this technology. So far, we successfully tested it with KVM (kernel 3.6.0), Xen (4.2.0), VMware Workstation (9.0.1), VirtualBox (4.2.6) and the last version of HyperDbg - including different nested combinations (e.g., KVM under XEN, or VirtualBox under VMWare). Our tests were limited to 32bit Operating Systems (tests with 64bits and Microsoft Hyper-V are on the way).

Actaeon needs to know the offsets of certain fields inside the VMCS. At the moment, our distribution contains all the five Intel microarchitectures supporting Hardware Assisted Virtualization (Sandy Bridge, Penryn, Westmere, Nehalem and Haswell) and a number of custom VMCS used to support nested hypervisors (Xen, KVM, and VMWare workstation). If you have a processor with another microarchitecture please help us by running our VMCS offset dumper and sending back to us its output.

Features List

    KVM, Xen, VMware Worstation, VirtualBox and HyperDbg support
    Nested Virtualization support for KVM, Xen and VMware Worstation
    Sandy Bridge, Penryn and Westmere Intel Microarchitectures support
    Transparent Instrospection for Windows Guests
    Hypervisor IA-32e and PAE support
    Multi-processors Guests support
    Hyper-V support
    Transparent Instrospection for Linux Guests
    VMware ESXi support
    VMCS Shadowing support
    bhyve support

News

Google implemented Actaeon ideas in Rekall - Read: VM discovery and introspection with Rekall - 2014/10
Actaeon at "Hack in the Box" (HITB) Security Conference in Kuala Lumpur, Malaysia: Under the Hood: How Actaeon Unveils Your Hypervisor - 2013/10
The team will participate at the SANS DFIR EU SUMMIT in Prague, Czech Republic - 2013/10
Actaeon won the 1st Volatility Plugin Contest - 2013/08

Publications

Hypervisor Memory Forensics
Mariano Graziano, Andrea Lanzi, Davide Balzarotti
16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), St. Lucia, October 2013 (acceptance rate: 22.9%)

Download and Installation

You can find our code on GitHub: Actaeon
To install Actaeon on a Linux system follow these simple steps:

:: Installation script
wget https://raw.github.com/eurecom-s3/actaeon/master/utils/actaeon_setup.sh
bash actaeon_setup.sh


:: Manual Installation
[-- Step 0x00
cd /tmp
git clone git://github.com/eurecom-s3/actaeon.git

[-- 0x01 - Dumper
cd "yourdir"
svn checkout http://hyperdbg.googlecode.com/svn/trunk/ hyperdbg-read-only
cd hyperdbg-read-only
cp /tmp/actaeon/dumper/hdbg.diff .
patch -p0 < hdbg.diff

[-- 0x02 - Volatility patch
cd "yourdir2"
wget http://volatility.googlecode.com/files/volatility-2.2.zip
unzip volatility-2.2.zip
cd volatility-2.2/
cp /tmp/actaeon/vol_patch/intel.diff .
cp /tmp/actaeon/vol_patch/windows.diff .
patch -p0 < intel.diff
patch -p0 < windows.diff


[-- 0x03 - Volatility Plugin
cp -R /tmp/actaeon/plugin/hypervisors/ "yourdir2"/volatility/plugins/


Happy hacking!

Examples

These two videos show how to use Actaeon (set the resolution to 1080p for better quality)

Actaeon vs VMware Workstation 9.0

Actaeon vs KVM and nested Virtualization

Actaeon?

In Greek mythology, son of the priestly herdsman Aristaeus and Autonoe in Boeotia, was a famous Theban hero. Like Achilles in a later generation, he was trained by the centaur Chiron.

Look at Actaeon's wretched fate
who by the man-eating hounds he had raised,
was torn apart, better at hunting
than Artemis he had boasted to be, in the meadows.

Euripides
For more information visit the Wikipedia page. The image in this homepage is the famous "Diana and Actaeon" painted by the Italian Renaissance master Titian.

Authors

Actaeon has been developed by Mariano `emdel` Graziano at EURECOM under the supervision of Davide Balzarotti and Andrea Lanzi.
Enrico Canzonieri joined the team for his semestral project.

Contact

Join #actaeon on Freenode to discuss about the tool and virtualization or #volatility.
Feel free to contact @emd3l on Twitter or emdel [at] s3 d0t eurecom d0t fr for long questions.