Xen devel - Jul 2012 - using debug registers in hypervisor to intercept access to a function inside HVM

Hello,

I''d like to be able to trap one particular system call invoked in an
HVM Windows machine using the Xen hypervisor. I am familiar with Ether
implementation that traps all system calls but I am only interested in
intercepting 1 system call so Ether mplementation would add unnecessary
overhead. My solution to the problem is to set DR01 with the address of the
system call (obtained from the SSDT table) and to set DR07 with global flag,
which will result in INT1 exception. I looked at the vmx.c code and it apprear
INT1 in my setup should be trapped in the  vmx_vmexit_handler() routine under
"case TRAP_debug". Unfortunately, I never get inside "case
TRAP_debug". I tried setting the DR0 and DR07 registers in the
vmx_save_dr() routine as well as on each CR3 context switch but no luck so far
in trapping the system call. What am I missing in my implementation?

Thank you,
Jenny




_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

>>> On 29.07.12 at 01:41, LL <nl_bluesky@yahoo.com> wrote:
> I''d like to be able to trap one particular system call invoked in
an HVM
> Windows machine using the Xen hypervisor. I am familiar with Ether 
> implementation that traps all system calls but I am only interested in 
> intercepting 1 system call so Ether mplementation would add unnecessary 
> overhead. My solution to the problem is to set DR01 with the address of the
> system call (obtained from the SSDT table) and to set DR07 with global
flag,
> which will result in INT1 exception. I looked at the vmx.c code and it 
> apprear INT1 in my setup should be trapped in the  vmx_vmexit_handler() 
> routine under "case TRAP_debug". Unfortunately, I never get
inside "case
> TRAP_debug". I tried setting the DR0 and DR07 registers in the
vmx_save_dr()
> routine as well as on each CR3 context switch but no luck so far in
trapping
> the system call. What am I missing in my implementation?
For one I don''t see the connection between system calls and the
SSDT. And even if there was one, the SSDT (as a firmware
resource) would provide physical addresses, whereas debug
registers match virtual ones (and iirc Windows has no a priori
correlation between physical and virtual addresses).

Jan

On Sun, 2012-07-29 at 00:41 +0100, LL wrote:
> What am I missing in my implementation?
It''s rather hard to say when you haven''t posted your
implementation.

Have you considered any distinction between the DRs used in root vs
non-root mode? Have you considered the differences between virtual,
physical and machine addresses in those modes and what they may mean for
the use of addresses in DRs? Have you considered which context an INT1
in non-root mode will be delivered in?

Ian.