|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Scan guests' page to seek specific instructions
On 26/10/15 22:34, Wen QI wrote: > Hi, > > I am trying to scan guests' pages and check whether they contain specific > instructions (e.g., LOCK). I summarize how I did it as follows. Could you > please give some suggestions about whether am I on the right direction? Thank > you. > > In my testing environment, XEN 4.4.0 is deployed. Both Domain-0 and guests > are using Ubuntu 14.4 64-bit. The guests are in HVM mode. > > 1. In the page fault handler sh_page_fault(), we first judge #PF > (regs->error_code), if it contains PFEC_insn_fetch && PFEC_user_mode, then > continue to next step. > > 2. The virtual address (va, which is from CR3) is converted to MFN. > > 3. If the MFN is valid, we get the page address via mfn_to_virt(). > > 4. Then scan the page's data to check whether specific instructions exist in > the page. > > To simplify the testing, I temporarily disabled all shadow optimizations by > setting SHADOW_OPTIMIZATIONS as 0x0F. > > My observations are as follows: > - In step 2, some virtual addresses can be converted to valid MFN, some > cannot. Why would you expect them all to be valid? This is how demand paging of library code typically works. > > - In the HVM guest, I run a piece of C code which contains the LOCK > instructions. However, in step 4, the instructions cannot be detected. Why do you expect to ever trap regular usermode execution on a user page? If you want to do VM Introspection, start with a tool such as libVMI rather than attempting to implement it from first principles in the shadow paging code. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |