[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] VMI: singlestep event not received

On Sun, Apr 21, 2019 at 4:27 PM Mathieu Tarral
<mathieu.tarral@xxxxxxxxxxxxxx> wrote:
>
> Hi,
>
> I'm having an issue with Xen's VMI subsystem.
>
> My goal is to build a small debugger that can break at an application's 
> entrypoint
> on Windows XP, when a new process is being created.
>
> To accomplish this, I first set a software breakpoint on KiThreadStartup 
> (ntoskrnl.exe),
> then on RtlUserThreadStart (ntdll.dll).
>
> The problem is that RtlUserThreadStart is paged-out, so i'm trying to reach 
> it via singlestepping as a backup solution.
>
> To my surprise, it didn't work as expected, since my application just hanged, 
> waiting for the next singlestep event:
>
> --Waiting for xen events...(0 ms)
> Disabling single step on vcpu: 0
> --Removing MTF flag from vcpu 0
> --Shutting down single step on domain 1
> --Removing MTF flag from vcpu 0
> --Starting single step on domain 1
> Enabling single step
> INFO:WindowsDebugContext:[105] at: 0x806d32d6
> Disabling single step on vcpu: 0
> --Removing MTF flag from vcpu 0
> --Shutting down single step on domain 1
> --Removing MTF flag from vcpu 0
> --Starting single step on domain 1
> --Setting MTF flag on vcpu 0
> Enabling single step
> --Waiting for xen events...(1000 ms)
> --Waiting for xen events...(0 ms)
> Disabling single step on vcpu: 0
> --Removing MTF flag from vcpu 0
> --Shutting down single step on domain 1
> --Removing MTF flag from vcpu 0
> --Starting single step on domain 1
> Enabling single step
> INFO:WindowsDebugContext:[106] at: 0x806d32dc
> Disabling single step on vcpu: 0
> --Removing MTF flag from vcpu 0
> --Shutting down single step on domain 1
> --Removing MTF flag from vcpu 0
> --Starting single step on domain 1
> --Setting MTF flag on vcpu 0
> Enabling single step
> --Waiting for xen events...(1000 ms)
> --Waiting for xen events...(1000 ms)
> --Waiting for xen events...(1000 ms)
> --Waiting for xen events...(1000 ms)
> --Waiting for xen events...(1000 ms)
> --Waiting for xen events...(1000 ms)
> --Waiting for xen events...(1000 ms)
>
> The reason why i'm disabling end enabling the singlestep successively is 
> because i already
> have a libvmi singlestep event registered, with the MTF flag disabled.
> I only use it for breakpoint recoil situations.
> It's a limitation of the libvmi API where you cannot modified a registered 
> event to enable singlestep at will.

I'm not entirely sure what you mean here (and perhaps that's a
discussion to be moved to the LibVMI issues page). If you already have
an event registered for singlestepping why would you want to disable
it just to re-enable it? If it's because you just have the handler
registered without MTF actually active, that's specifically made for
the situation where turn on/off MTF using the VM_EVENT_RESPONSE_FLAG.

Also, using MTF to reach parts of the code that are several hundred
instructions down the pipe will most likely not work due to the
extreme overhead it adds. You are more likely to get an interrupt and
land somewhere in the kernel long before you reach your target. At
least that has been my experience. You likely want to investigate
other options, such as what Razvan recommended.

Tamas

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.