/vmread

A library to read/write memory to Windows on KVM

Primary LanguageCMIT LicenseMIT

A library to read/write memory to Windows running inside of KVM

End-of-life

This library is not supported anymore. Please use memflow for more up-to-date and versatile VM introspection tools.

wintools.h and mem.h provide most of the functions callable to interract with the Windows VM, while hlapi abstracts everything in a bit simpler to use manner (requires C++).

Rust bindings are available in a separate repository.

Compiling

Minimum language standard: C99 The current example project is in C++, requiring at least C++11 with template support, but the C version also exists, which works fine on a C99 compiler.

Use meson and ninja to compile the example programs

Use make to compile the kernel module

Performance

Internal (QEMU inject) mode is roughly 5 times faster than external mode. However, it is possible to use the kernel module to map the memory space of QEMU into the external process, mitigating the performance penalty. Also, when performing larger reads, the memcpy quickly reaches its peak speed and external mode begins to catch up. Performance numbers are shown below.

alt text

Frequent issues

Make sure to use the Q35 chipset on the KVM guest, unless it is running Windows XP. Otherwise, the library may not work correctly. Kmod mapping is not guaranteed to work properly or for extended periods of time if the VM is not set up to use hugepages.

Licensing note

While most of the codebase is under the MIT license, the kernel module (kmem.c file) is licensed under GNU GPLv2.