[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] how can I find hypercall page address?



Sorry for replying so late. Libvmi is used to substract information of guest, such as system calls. But I don't think it can be used to intercept hypercalls as hypercall is a behavior between guest and hypervisor while syscall is a behavior between guest applications and guest kernel. Anyway, trying to intercept hypercalls need firstly locate the address of hypercalls. Could you provides any hints any that?Â

2015-08-11 17:21 GMT+08:00 Andrew Cooper <andrew.cooper3@xxxxxxxxxx>:
On 11/08/15 03:44, big strong wrote:
My goal is to intercept hyprcalls to detect malicious calls. So I need firstly find where the hypercalls are.

As I have said before, a guest may have an arbitrary number of hypercall pages. Furthermore, the hypercall page is merely a convenience; nothing prevents a guest manually issuing hypercalls.

My plan is to locate hypercall page first, then walk through the hypercall page to get address of hyperccalls. If there is any other solutions, please let me know. Thanks very much.

It sounds like you want VM introspection, but it doesn't work like this. try http://libvmi.com/ as a starting point.

~Andrew



2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@xxxxxxxxxx>:
On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
> I think I've stated clearly what I want to do.
>
Well...
>
> |I want to locate the hypercall page address when creating a new domU,
> so as to locate hypercalls.
>
Ok. What for?

Dario

--
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.