Xen devel - Apr 2011 - Logging Access to HDD

Dear List,

I´m working in research and I tought this list could be
a good adress for my questions.

I want to log the disk accesses of the virtual hvm instances running in Xen.
That means for the start I want to log the write querys of a running
domU instance in the dom0 instance.

So I´m trying to modify the Xen 3.2.1 source code,
but actually I was not able to find a good entry point to do this.

For now, I want to log the disk accesses of a running windows 7 domU 
instance.
The best what could happenis that I could see even the source and target 
of a hdd write query.

Does anyone have an idea how I could do this on a good way?
Which Xen source file / function should I modify? Where is the best 
entry point to do this?

Thank you a lot.

-- 
Sebastian Biedermann



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

> Dear List,
> 
> I´m working in research and I tought this list could be
> a good adress for my questions.
> 
> I want to log the disk accesses of the virtual hvm instances running in
Xen.
> That means for the start I want to log the write querys of a running
> domU instance in the dom0 instance.
> 
> So I´m trying to modify the Xen 3.2.1 source code,
> but actually I was not able to find a good entry point to do this.
> 
> For now, I want to log the disk accesses of a running windows 7 domU
> instance.
> The best what could happenis that I could see even the source and target
> of a hdd write query.
> 
> Does anyone have an idea how I could do this on a good way?
> Which Xen source file / function should I modify? Where is the best
> entry point to do this?
HVM access can either be emulated PCI IDE, or PV. For the emulated access you
would hook into qemu, I think. For PV access you would need to hook into
whatever block device backend you are using.

Do you just want to count reads and writes, or do you want to log every single
byte read/written?

James

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Am 19.04.2011 11:35, schrieb James Harper:
>> Dear List,
>>
>> I´m working in research and I tought this list could be
>> a good adress for my questions.
>>
>> I want to log the disk accesses of the virtual hvm instances running in
Xen.
>> That means for the start I want to log the write querys of a running
>> domU instance in the dom0 instance.
>>
>> So I´m trying to modify the Xen 3.2.1 source code,
>> but actually I was not able to find a good entry point to do this.
>>
>> For now, I want to log the disk accesses of a running windows 7 domU
>> instance.
>> The best what could happenis that I could see even the source and
target
>> of a hdd write query.
>>
>> Does anyone have an idea how I could do this on a good way?
>> Which Xen source file / function should I modify? Where is the best
>> entry point to do this?
> HVM access can either be emulated PCI IDE, or PV. For the emulated access
you would hook into qemu, I think. For PV access you would need to hook into
whatever block device backend you are using.
>
> Do you just want to count reads and writes, or do you want to log every
single byte read/written?
>
> James
I dont need to log every single byte, it would be enough to know which 
file is accessed by the domU inside its image.
So when I use HVM I need to modify qemu and not the xen source?

thanks

-- 
Sebastian


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 04/19/2011 11:44 AM, Sebastian Biedermann wrote:
> Am 19.04.2011 11:35, schrieb James Harper:
>>> Dear List,
>>>
>>> I´m working in research and I tought this list could be
>>> a good adress for my questions.
>>>
>>> I want to log the disk accesses of the virtual hvm instances
running in Xen.
>>> That means for the start I want to log the write querys of a
running
>>> domU instance in the dom0 instance.
>>>
>>> So I´m trying to modify the Xen 3.2.1 source code,
>>> but actually I was not able to find a good entry point to do this.
>>>
>>> For now, I want to log the disk accesses of a running windows 7
domU
>>> instance.
>>> The best what could happenis that I could see even the source and
target
>>> of a hdd write query.
>>>
>>> Does anyone have an idea how I could do this on a good way?
>>> Which Xen source file / function should I modify? Where is the best
>>> entry point to do this?
>> HVM access can either be emulated PCI IDE, or PV. For the emulated
access you would hook into qemu, I think. For PV access you would need to hook
into whatever block device backend you are using.
>>
>> Do you just want to count reads and writes, or do you want to log every
single byte read/written?
>>
>> James
> I dont need to log every single byte, it would be enough to know which 
> file is accessed by the domU inside its image.
> So when I use HVM I need to modify qemu and not the xen source?
>
> thanks
>
Sebastian, QEMU is used by Xen for HVM guests. It''s in the Xen source
codes in the tools/ioemu-dir so look there and here it depends on disk
type you''re having - whether SCSI or IDE disk or whether
you''re using PV
drivers. This can be found in the Xen domain configuration, i.e. if
you''re using file:/path/to/image,xvda then you''re using PV
drivers (they
have to be installed in the guest), for hda instead of xvda you''re
using
IDE disk and for sda instead of xvda you''re using SCSI disk. If
you''re
using PV drivers then you have to modify the PV drivers themselves and
not QEMU so I''d recommend to use SCSI or IDE disk instead. For SCSI
disk
it''s the best since you have the logic in the ioemu-dir/hw/scsi-disk.c
AFAIK.

Michal

-- 
Michal Novotny <minovotn@redhat.com>, RHCE
Virtualization Team (xen userspace), Red Hat


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Am 19.04.2011 11:44, schrieb Sebastian Biedermann:
> I dont need to log every single byte, it would be enough to know which
> file is accessed by the domU inside its image.
> So when I use HVM I need to modify qemu and not the xen source?
Won''t work: the outer layer only sees block accesses, and not
"actual"
file accesses, so you''re only able to log (if patching qemu) which
blocks of the virtualized hard disk of your Windows system are accessed.
You''d need to correlate this to additional data that''s stored
on the
disk itself to find out which file a block that''s accessed by the
system
belongs to.

Doing this kind of correlation from the outside is hard, and it should
be much easier to plug a device driver into Windows itself which
intercepts the filesystem calls in NTFS.sys (which implements the VFS
for NTFS accesses under windows) to retrieve the accessed files from the
system itself (namely at the layer which knows about the filesystem
structure of an NTFS filesystem, which qemu as hardware virtualizer does
not).

-- 
--- Heiko.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 04/19/2011 12:02 PM, Heiko Wundram wrote:
> Am 19.04.2011 11:44, schrieb Sebastian Biedermann:
>> I dont need to log every single byte, it would be enough to know which
>> file is accessed by the domU inside its image.
>> So when I use HVM I need to modify qemu and not the xen source?
> Won''t work: the outer layer only sees block accesses, and not
"actual"
> file accesses, so you''re only able to log (if patching qemu) which
> blocks of the virtualized hard disk of your Windows system are accessed.
> You''d need to correlate this to additional data that''s
stored on the
> disk itself to find out which file a block that''s accessed by the
system
> belongs to.
>
> Doing this kind of correlation from the outside is hard, and it should
> be much easier to plug a device driver into Windows itself which
> intercepts the filesystem calls in NTFS.sys (which implements the VFS
> for NTFS accesses under windows) to retrieve the accessed files from the
> system itself (namely at the layer which knows about the filesystem
> structure of an NTFS filesystem, which qemu as hardware virtualizer does
> not).
>
That''s right. I remember some time ago I''ve been using API
hooking
techniques to do similar stuff so if you implement an API hook directly
to Windows you can achieve the job of file changes. More over, I think
Windows is having some iNotify-like API as well - something like
FindFirstChange() or similar...

Michal

-- 
Michal Novotny <minovotn@redhat.com>, RHCE
Virtualization Team (xen userspace), Red Hat


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 04/19/11 11:44, Sebastian Biedermann wrote:
>>> For now, I want to log the disk accesses of a running windows 7
domU
>>> instance.
> I dont need to log every single byte, it would be enough to know which
> file is accessed by the domU inside its image.
Perhaps try Filemon from Sysinternals ^W^W^W Process Monitor:

http://technet.microsoft.com/en-us/sysinternals/bb896645

lacos

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On 04/19/2011 12:18 PM, Laszlo Ersek wrote:
> On 04/19/11 11:44, Sebastian Biedermann wrote:
>
>>>> For now, I want to log the disk accesses of a running windows 7
domU
>>>> instance.
>> I dont need to log every single byte, it would be enough to know which
>> file is accessed by the domU inside its image.
> Perhaps try Filemon from Sysinternals ^W^W^W Process Monitor:
>
> http://technet.microsoft.com/en-us/sysinternals/bb896645
>
Laszlo, those tools are basically using the API I mentioned above - the
FindFirstChange() or similar API I already mentioned. If Sebastian wants
it to be done for one-time or user-assisted monitoring then it''s fine
to
use those Sysinternals utilities however if his intention is to create
an application to be monitoring it "on-the-fly" then writing his own
app
is better.

Michal

-- 
Michal Novotny <minovotn@redhat.com>, RHCE
Virtualization Team (xen userspace), Red Hat


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Am 19.04.2011 11:54, schrieb Michal Novotny:
> On 04/19/2011 11:44 AM, Sebastian Biedermann wrote:
>> Am 19.04.2011 11:35, schrieb James Harper:
>>>> Dear List,
>>>>
>>>> I´m working in research and I tought this list could be
>>>> a good adress for my questions.
>>>>
>>>> I want to log the disk accesses of the virtual hvm instances
running in Xen.
>>>> That means for the start I want to log the write querys of a
running
>>>> domU instance in the dom0 instance.
>>>>
>>>> So I´m trying to modify the Xen 3.2.1 source code,
>>>> but actually I was not able to find a good entry point to do
this.
>>>>
>>>> For now, I want to log the disk accesses of a running windows 7
domU
>>>> instance.
>>>> The best what could happenis that I could see even the source
and target
>>>> of a hdd write query.
>>>>
>>>> Does anyone have an idea how I could do this on a good way?
>>>> Which Xen source file / function should I modify? Where is the
best
>>>> entry point to do this?
>>> HVM access can either be emulated PCI IDE, or PV. For the emulated
access you would hook into qemu, I think. For PV access you would need to hook
into whatever block device backend you are using.
>>>
>>> Do you just want to count reads and writes, or do you want to log
every single byte read/written?
>>>
>>> James
>> I dont need to log every single byte, it would be enough to know which
>> file is accessed by the domU inside its image.
>> So when I use HVM I need to modify qemu and not the xen source?
>>
>> thanks
>>
> Sebastian, QEMU is used by Xen for HVM guests. It''s in the Xen
source
> codes in the tools/ioemu-dir so look there and here it depends on disk
> type you''re having - whether SCSI or IDE disk or whether
you''re using PV
> drivers. This can be found in the Xen domain configuration, i.e. if
> you''re using file:/path/to/image,xvda then you''re using
PV drivers (they
> have to be installed in the guest), for hda instead of xvda you''re
using
> IDE disk and for sda instead of xvda you''re using SCSI disk. If
you''re
> using PV drivers then you have to modify the PV drivers themselves and
> not QEMU so I''d recommend to use SCSI or IDE disk instead. For
SCSI disk
> it''s the best since you have the logic in the
ioemu-dir/hw/scsi-disk.c
> AFAIK.
>
> Michal
>
Okay, that sounds good, I will try to modifiy the ioemu ide drivers
to see which sectors are used and I will try to match these sectors to
the upper layer of the image of the guestU tofind out which
data files are accessed. Hope that works :-)

Thank you!



-- 
Sebastian Biedermann
Security Engineering Group
Technische Universität Darmstadt
Mornewegstraße 32, 64293 Darmstadt
Phone: +49-6151-16-75146

This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed. If you have received this email
in error please notify the sender.


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel