Re: Identify an specific DomU inpecting all pages in memory

[Charles Gonçalves <charles.fg@xxxxxxxxx>]

Sure. 

The goal is to emulate a scenario where a compromised guest attacks another 

tenant in the same physical host reading/changing the memory content.  

E.g., extract the RSA key.

I'll be in the domU kernel space. I'm assuming that the guest is able to exploit 

any vulnerability possible. 

Effectively I'll be changing Xen's code (at least possible) to *emulate* a vulnerability 

(e.g., undo a patch).

Atenciosamente,

Charles Ferreira Gonçalves

On Sat, Jan 2, 2021 at 7:06 PM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:

On 02/01/2021 17:02, Charles Gonçalves wrote:
> Hi, 
>
> I'm building some attack loads targeting  Xen to my PhD and need to
> identify the pages for a specific guest. 
> Assuming that I'm able to traverse the pages in memory, how do I
> identify a guest (by ID or Name)? 
>
> The dom0 is easy since I can inspect the start_info looking
> for SIF_INITDOMAIN but I have no idea to identify a specific domU.

Hello,

Could you provide rather more details about what exactly you're trying
to do?

In particular, what context are you in when trying to identify the pages?

~Andrew