Introduction to Virtual Machine Introspection for System Monitoring of Legacy Windows Environments

Abstract

This master's thesis explores the field of Virtual Machine Introspection (VMI) with two focuses: firstly, to establish a solid understanding of VMI, its principles, and its implementation in existing frameworks. Secondly, to apply this knowledge to extend an existing VMI framework, DRAKVUF, to support legacy Windows systems. The work demonstrates the feasibility and value of extending VMI capabilities to legacy systems. This master's thesis is organized in the following way: Chapter 1 is the introduction, Chapter 2 the objectives and structure of the thesis, Chapter 3 review the technical background needed to understand this work, Chapter 4 presents the virtualized setups used to test the frameworks explored, Chapter 5 introduces VMI for system monitoring, exploring both the broad VMI concept and the technical implementations of VMI by VMI frameworks, Chapter 6 performs an exploratory study of API monitoring with and without VMI, reviewing both traditional API monitoring techniques and frameworks, and a concrete VMI API monitoring, Chapter 7 presents the implementation, testing, and evaluation work made in this thesis (although other chapters also contain practical parts), and finally, Chapter 8 presents the conclusions.