[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Guest memory access hooking



Hello all,

I'm trying to do some research with malware, and I'm trying to get notifications on arbitrary guest page accesses (similar to what Ether does.) I've noticed the mem-event API and it seems like it might be close to what I need, but I can't find much documentation about how it works or how to use it.

I know that that mem-event API works only with EPT, but is the code to change permissions modifying the guest page tables, or does it work via EPT? (Can the guest detect it?) Is there any documentation about usage, besides the xen-access.c test ?

I'm also interested monitoring arbitrary page access via the shadow page tables. I've been reading through the code, but if anyone has any insight or some kind of push in the right direction, I'd really appreciate it.

Thank you!
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.