[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] (no subject)
On Thu, Nov 15, 2012 at 4:08 AM, Tim Deegan <tim@xxxxxxx> wrote: > > Bcc: Tim Deegan <tjd-xen@xxxxxxxxxxxxxx> > Subject: Re: [Xen-devel] Guest memory access hooking > Reply-To: > In-Reply-To: > <CAG4Ohu_p-vVF9ZS01PeMqHvscCrrO+UDawK-noaaP8k+MuqHrQ@xxxxxxxxxxxxxx> > > Hi, > > At 10:56 -0500 on 13 Nov (1352804161), Cutter 409 wrote: > > I'm trying to do some research with malware, and I'm trying to get > > notifications on arbitrary guest page accesses (similar to what Ether > > does.) I've noticed the mem-event API and it seems like it might be close > > to what I need, but I can't find much documentation about how it works or > > how to use it. > > Yes, the mem-event api, and in particular the HVMOP_set_mem_access > hypercall, looks like what you want. As you say, there isn't much > documentation for it, except the xen-access.c client and the mailing > list archive. > > CC'ing Aravindh, who has worked on this code most recently and might be > able to help with specific questions. Sure, I can help with the specifics of the API usage. > > I know that that mem-event API works only with EPT, but is the code to > > change permissions modifying the guest page tables, or does it work via > > EPT? (Can the guest detect it?) > > It works by EPT. The guest can't detect it by looking at its pagetables > or page fault patterns, though it might be able to detect it by looking > at timings. > > > I'm also interested monitoring arbitrary page access via the shadow page > > tables. I've been reading through the code, but if anyone has any insight > > or some kind of push in the right direction, I'd really appreciate it. It might be useful to get mem-event working with shadow by following Tim's suggestions to achieve what you are after. Thanks, Aravindh _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |