Virtual machine introspection based on system calls and kernel data structures

V. M. Stepanov^ab, P. M. Dovgalyuk^ab, N. I. Fursova<sup>ab

a</sup> Ivannikov Institute for System Programming of the RAS
^b Yaroslav-the-Wise Novgorod State University

Abstract: The semantic gap is one of the key problems in developing solutions for full-system dynamic analysis. At the hypervisor level, tools have access only to low-level binary data, while analysis requires high-level information about the state of guest operating system objects. Virtual machine introspection approaches solve this problem. Unfortunately, implementations of existing approaches face performance issues and lack of functionality. They require the user to embed special agents into the virtual machine image or have debugging symbols for the OS kernel. They also turn out to work only for specific systems and processor architectures. The article presents a number of solutions that reduce overhead and increase the versatility of the analysis tool. The peculiarity of the developed introspection approach is that it does not require any additional actions from the user, collecting the information necessary for analysis during the OS boot on the emulator.

Keywords: virtual machine, dynamic analysis, QEMU, virtual machine introspection

DOI: 10.15514/ISPRAS-2025-37(6)-36