Hi, I'm having an issue with Xen's VMI subsystem.
My goal is to build a small debugger that can break at an application's entrypoint on Windows XP, when a new process is being created. To accomplish this, I first set a software breakpoint on KiThreadStartup (ntoskrnl.exe), then on RtlUserThreadStart (ntdll.dll). The problem is that RtlUserThreadStart is paged-out, so i'm trying to reach it via singlestepping as a backup solution. To my surprise, it didn't work as expected, since my application just hanged, waiting for the next singlestep event: --Waiting for xen events...(0 ms) Disabling single step on vcpu: 0 --Removing MTF flag from vcpu 0 --Shutting down single step on domain 1 --Removing MTF flag from vcpu 0 --Starting single step on domain 1 Enabling single step INFO:WindowsDebugContext:[105] at: 0x806d32d6 Disabling single step on vcpu: 0 --Removing MTF flag from vcpu 0 --Shutting down single step on domain 1 --Removing MTF flag from vcpu 0 --Starting single step on domain 1 --Setting MTF flag on vcpu 0 Enabling single step --Waiting for xen events...(1000 ms) --Waiting for xen events...(0 ms) Disabling single step on vcpu: 0 --Removing MTF flag from vcpu 0 --Shutting down single step on domain 1 --Removing MTF flag from vcpu 0 --Starting single step on domain 1 Enabling single step INFO:WindowsDebugContext:[106] at: 0x806d32dc Disabling single step on vcpu: 0 --Removing MTF flag from vcpu 0 --Shutting down single step on domain 1 --Removing MTF flag from vcpu 0 --Starting single step on domain 1 --Setting MTF flag on vcpu 0 Enabling single step --Waiting for xen events...(1000 ms) --Waiting for xen events...(1000 ms) --Waiting for xen events...(1000 ms) --Waiting for xen events...(1000 ms) --Waiting for xen events...(1000 ms) --Waiting for xen events...(1000 ms) --Waiting for xen events...(1000 ms) The reason why i'm disabling end enabling the singlestep successively is because i already have a libvmi singlestep event registered, with the MTF flag disabled. I only use it for breakpoint recoil situations. It's a limitation of the libvmi API where you cannot modified a registered event to enable singlestep at will. Therefore my solution: https://github.com/Wenzel/pyvmidbg/blob/37ee12fb7bee612b0dbee9356e21aa959e750746/vmidbg/breakpoint.py#L79 The funny thing is that it's always at the same instruction that it fails, the 106th singlestep, at 0x806d32dc: [0x7c90e514]> s 0x806d32dc [0x806d32dc]> pd 10 0x806d32dc 890d8000feff mov dword [0xfffe0080], ecx 0x806d32e2 a18000feff mov eax, dword [0xfffe0080] ; [0xfffe0080:4]=-1 0x806d32e7 c3 ret 0x806d32e8 a18000feff mov eax, dword [0xfffe0080] ; [0xfffe0080:4]=-1 0x806d32ed c1e804 shr eax, 4 0x806d32f0 0fb68088e06d. movzx eax, byte [eax - 0x7f921f78] 0x806d32f7 c3 ret 0x806d32f8 b91f000000 mov ecx, 0x1f ; 31 0x806d32fd e876ffffff call 0x806d3278 0x806d3302 c3 ret [0x806d32dc]> I'm running on Xen packaged by Fedora 29: 4.11.1, in a nested virt environment on top of KVM. I discussed this bug on IRC with andyhpp, who convinced me to move the discussion on the mailing list. Apparently the singlestepping in Xen was in a poor quality state because of multiple layers of refactoring. If you have any ideas, please share. Thanks ! Mathieu Tarral. Sent with ProtonMail Secure Email. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
