On 26/10/15 22:34, Wen QI wrote:
> Hi,
>
> I am trying to scan guests' pages and check whether they contain specific
> instructions (e.g., LOCK). I summarize how I did it as follows. Could you
> please give some suggestions about whether am I on the right direction? Thank
> you.
>
> In my testing environment, XEN 4.4.0 is deployed. Both Domain-0 and guests
> are using Ubuntu 14.4 64-bit. The guests are in HVM mode.
>
> 1. In the page fault handler sh_page_fault(), we first judge #PF
> (regs->error_code), if it contains PFEC_insn_fetch && PFEC_user_mode, then
> continue to next step.
>
> 2. The virtual address (va, which is from CR3) is converted to MFN.
>
> 3. If the MFN is valid, we get the page address via mfn_to_virt().
>
> 4. Then scan the page's data to check whether specific instructions exist in
> the page.
>
> To simplify the testing, I temporarily disabled all shadow optimizations by
> setting SHADOW_OPTIMIZATIONS as 0x0F.
>
> My observations are as follows:
> - In step 2, some virtual addresses can be converted to valid MFN, some
> cannot.
Why would you expect them all to be valid? This is how demand paging of
library code typically works.
>
> - In the HVM guest, I run a piece of C code which contains the LOCK
> instructions. However, in step 4, the instructions cannot be detected.
Why do you expect to ever trap regular usermode execution on a user page?
If you want to do VM Introspection, start with a tool such as libVMI
rather than attempting to implement it from first principles in the
shadow paging code.
~Andrew
___
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel