Sorry for replying so late. Libvmi is used to substract information of guest, such as system calls. But I don't think it can be used to intercept hypercalls as hypercall is a behavior between guest and hypervisor while syscall is a behavior between guest applications and guest kernel. Anyway, trying to intercept hypercalls need firstly locate the address of hypercalls. Could you provides any hints any that?
2015-08-11 17:21 GMT+08:00 Andrew Cooper <andrew.coop...@citrix.com>: > On 11/08/15 03:44, big strong wrote: > > My goal is to intercept hyprcalls to detect malicious calls. So I need > firstly find where the hypercalls are. > > > As I have said before, a guest may have an arbitrary number of hypercall > pages. Furthermore, the hypercall page is merely a convenience; nothing > prevents a guest manually issuing hypercalls. > > My plan is to locate hypercall page first, then walk through the hypercall > page to get address of hyperccalls. If there is any other solutions, please > let me know. Thanks very much. > > > It sounds like you want VM introspection, but it doesn't work like this. > try http://libvmi.com/ as a starting point. > > ~Andrew > > > 2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggi...@citrix.com>: > >> On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: >> > I think I've stated clearly what I want to do. >> > >> Well... >> > >> > |I want to locate the hypercall page address when creating a new domU, >> > so as to locate hypercalls. >> > >> Ok. What for? >> >> Dario >> >> -- >> <<This happens because I choose it to happen!>> (Raistlin Majere) >> ----------------------------------------------------------------- >> Dario Faggioli, Ph.D, http://about.me/dario.faggioli >> Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) >> > > >
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel