Il 17/03/2014 12:54, Alexander Binun ha scritto:
Dear friends, great thanks!
To summarize: we are trying to monitor VCPU IDT changes that are done
by external parties (e.g. rootkits) and not by intra-KVM machinery.
Are there parameters that witness such changes ?
There is no way to intercept changes to the interrupt descriptor table.
You can:
* look at the IDTR values on every vmexit, including before injecting an
interrupt, but that won't protect from hijacking software interrupts
such as int $0x80;
* protect the IDT from writing using KVM's page table mechanisms, but
that won't catch the case when the IDT is changed to a whole new page.
Paolo
