[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-introspect] Memory mapping in hypervisor

Hello

I don't know if this is the right place for this kind of questions, or
if my questions are a little bit stupid (it's the first time i'm trying
to do something like that), which is why i apologize for the noise.

For research purpose, i'm trying to log all syscalls issued in a DomU.
I sent a few mail on the xen-devel list and got some help over there,
but i reached a point where i'm getting lost.

I disabled direct_trap in the hypervisor and print out (later on i'll
log the info via the tracing facility) some spu registers like EAX,
EIP, ESP and so on... Now i'm trying to link this syscall to a PID in
the VM.

In a regular Linux system, by applying the 0xFFFFE000 mask on the ESP i
get the address of a thread_info which contains a task_struct which
contains the PID. I implemented that on a regular Linux system (in the
Dom0) and i get the same offsets than the find_linux_offsets tool from
XenAccess.

however, in the hypervisor, these structures are not available. I tried
to wlak through the memory and deduce a way to get the PID with the
offsets, but i couldn't find any way to do it. Thus, i decided to took
a look at XenAccess and see how it obtains the info, and correlate the
address given by the hypervisor (ESP & 0xFFFFE000) and the address of
the task_struct found by process-list. But I have troubles with
XenAccess, as it seems that the value of the cr3 register is corrupted.

I'll try on another computer, or maybe even on a 64 bits host (as the
structures are available on the 64 bits version of the hypervisor), but
meanwhile i do not want to give up on my first thought.

When i print outhe memory between ESP & 0xFFFFE000 and ESP, I have many
null values at the beginning of the memory, which i do not explain to
myself.

I guess that there is some mapping between the address seen by the DomU
and the address in the hypervisor where i should read the memory, but i
do not get how to perform that mapping.

Any help, hints or pointers to some doc will be welcomed.

Regards
Fred

_______________________________________________
Xen-introspect mailing list
Xen-introspect@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-introspect

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.