thr3ads.net - Xen devel - [Xen-devel] intercept interrupts from guest domains and find rootkits [Feb 2010]

If this information is useful, please help other people find it:
Share via:

Elena

2010-Feb-09 19:59 UTC

[Xen-devel] intercept interrupts from guest domains and find rootkits

Hello!!

I''d like to refer to this post: "RE: [Xen-devel] Re: How to
intercept
interrupts from guest domains"
made by "Mads Bergdal" on 21 Sep 2006 in this list.

Mads try to intercept hypercalls made by a guest domain, from hypervisor.
I made this, modifying xen source (entry.S) and print on dmesg the
number of hypercall.

My question is: if in a guest domain an intruder install a rootkit
(for example an IDT hooking), my hypercall interception on Dom0 can
estabilished that there was a violation to that guest?? Is any rootkit
installed on guest detectable by my hypercall interception (for
example an rootkit that make a specific sequence of hypercalls)?

I hope that it isn''t so complicated and I thanks you in advance for
comprehension.

Regards,
Elena

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Xen devel - Feb 2010 - intercept interrupts from guest domains and find rootkits

[Xen-devel] intercept interrupts from guest domains and find rootkits