KVM-based Virtual Machine Introspection

Malware Behavior Analyzer

Research-focused hypervisor offering advanced tools for debugging, virtual machine introspection, and automation.

Virtual Machine Introspection (VMI) for memory forensics and machine-learning.

Robust API monitoring system presented in the paper "Designing Robust API Monitoring Solutions" (IEEE TDSC)

Remote inspection support for confidential AMD SEV-SNP VMs.

A simple Rust wrapper around LibVMI for virtual machine introspection (very incomplete)

Rust bindings to KVM's introspection libkvmi library

Rust reimplementation of LibVMI

Detecting x86 paging structures in raw memory.

a simple honeypot with LibVMI and Volatility

Data structure detection with neural networks.

A script using electron and system information to provide monitoring capabilities to admins and users.

This DRAKVUF plugin enables VMI-based monitoring of emitted ETW events (Event Tracing for Windows).

This DRAKVUF plugin implements VMI-based YARA scanning over virtual process address spaces.

Software and artifacts related to “ETW through VMI: Hypervisor‑Level Collection of Windows ETW Telemetry”

HypErSIS DRAKVUF is a fork from the official DRAKVUF software (https://github.com/tklengyel/drakvuf) by Tamas K Lengyel (@tklengyel). This fork repository contains a number of modifications, improvements, and plugin extensions that we have made to DRAKVUF as part of the HypErSIS research project.

A ProcInjectionsFind volatility plugin runs against malware-infected memory images or memory of live VMs and examines each memory region of all running processes to conclude if it is the result of process injection.