LL
2012-Jul-28 23:41 UTC
using debug registers in hypervisor to intercept access to a function inside HVM
Hello, I''d like to be able to trap one particular system call invoked in an HVM Windows machine using the Xen hypervisor. I am familiar with Ether implementation that traps all system calls but I am only interested in intercepting 1 system call so Ether mplementation would add unnecessary overhead. My solution to the problem is to set DR01 with the address of the system call (obtained from the SSDT table) and to set DR07 with global flag, which will result in INT1 exception. I looked at the vmx.c code and it apprear INT1 in my setup should be trapped in theĀ vmx_vmexit_handler() routine under "case TRAP_debug". Unfortunately, I never get inside "case TRAP_debug". I tried setting the DR0 and DR07 registers in the vmx_save_dr() routine as well as on each CR3 context switch but no luck so far in trapping the system call. What am I missing in my implementation? Thank you, Jenny _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel
Jan Beulich
2012-Jul-30 08:02 UTC
Re: using debug registers in hypervisor to intercept access to a function inside HVM
>>> On 29.07.12 at 01:41, LL <nl_bluesky@yahoo.com> wrote: > I''d like to be able to trap one particular system call invoked in an HVM > Windows machine using the Xen hypervisor. I am familiar with Ether > implementation that traps all system calls but I am only interested in > intercepting 1 system call so Ether mplementation would add unnecessary > overhead. My solution to the problem is to set DR01 with the address of the > system call (obtained from the SSDT table) and to set DR07 with global flag, > which will result in INT1 exception. I looked at the vmx.c code and it > apprear INT1 in my setup should be trapped in the vmx_vmexit_handler() > routine under "case TRAP_debug". Unfortunately, I never get inside "case > TRAP_debug". I tried setting the DR0 and DR07 registers in the vmx_save_dr() > routine as well as on each CR3 context switch but no luck so far in trapping > the system call. What am I missing in my implementation?For one I don''t see the connection between system calls and the SSDT. And even if there was one, the SSDT (as a firmware resource) would provide physical addresses, whereas debug registers match virtual ones (and iirc Windows has no a priori correlation between physical and virtual addresses). Jan
Ian Campbell
2012-Jul-30 08:44 UTC
Re: using debug registers in hypervisor to intercept access to a function inside HVM
On Sun, 2012-07-29 at 00:41 +0100, LL wrote:> What am I missing in my implementation?It''s rather hard to say when you haven''t posted your implementation. Have you considered any distinction between the DRs used in root vs non-root mode? Have you considered the differences between virtual, physical and machine addresses in those modes and what they may mean for the use of addresses in DRs? Have you considered which context an INT1 in non-root mode will be delivered in? Ian.