how can I find hypercall page address?

how can I find hypercall page address?

[big strong]

[-- Attachment #1.1: Type: text/plain, Size: 247 bytes --]

The old version of Xen contains information about hypercall page like:

xl dmesg
......
(XEN) HVM10: Allocated Xen hypercall page at 169ff000
.......

But the new edition seems to miss this information. How can I get the
similar information then?

[-- Attachment #1.2: Type: text/html, Size: 347 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[Andrew Cooper]

[-- Attachment #1.1: Type: text/plain, Size: 395 bytes --]

On 06/08/15 10:46, big strong wrote:
> The old version of Xen contains information about hypercall page like:
>
> xl dmesg
> ......
> (XEN) HVM10: Allocated Xen hypercall page at 169ff000
> .......
>
> But the new edition seems to miss this information.

Correct.  The information is not interesting or useful.

> How can I get the similar information then?

What are you trying to do?

~Andrew

[-- Attachment #1.2: Type: text/html, Size: 1303 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[big strong]

[-- Attachment #1.1: Type: text/plain, Size: 601 bytes --]

I want to locate the hypercall page address when creating a new domU, so as
to locate hypercalls. Is it possible?

2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:

> On 06/08/15 10:46, big strong wrote:
>
> The old version of Xen contains information about hypercall page like:
>
> xl dmesg
> ......
> (XEN) HVM10: Allocated Xen hypercall page at 169ff000
> .......
>
> But the new edition seems to miss this information.
>
>
> Correct.  The information is not interesting or useful.
>
> How can I get the similar information then?
>
>
> What are you trying to do?
>
> ~Andrew
>

[-- Attachment #1.2: Type: text/html, Size: 1503 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[big strong]

[-- Attachment #1.1: Type: text/plain, Size: 772 bytes --]

Or how can I get the address of hypercall page belonging to a running domU?

2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com>:

> I want to locate the hypercall page address when creating a new domU, so
> as to locate hypercalls. Is it possible?
>
> 2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:
>
>> On 06/08/15 10:46, big strong wrote:
>>
>> The old version of Xen contains information about hypercall page like:
>>
>> xl dmesg
>> ......
>> (XEN) HVM10: Allocated Xen hypercall page at 169ff000
>> .......
>>
>> But the new edition seems to miss this information.
>>
>>
>> Correct.  The information is not interesting or useful.
>>
>> How can I get the similar information then?
>>
>>
>> What are you trying to do?
>>
>> ~Andrew
>>
>
>

[-- Attachment #1.2: Type: text/html, Size: 1950 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[Andrew Cooper]

[-- Attachment #1.1: Type: text/plain, Size: 1170 bytes --]

On 07/08/15 02:52, big strong wrote:
> Or how can I get the address of hypercall page belonging to a running
> domU?

Please do not top post.

A domain may create an arbitrary quantity of hypercall pages, at any
address of their choosing.

You have not explained why you want this information.

~Andrew

>
> 2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com
> <mailto:fangtuo90@gmail.com>>:
>
>     I want to locate the hypercall page address when creating a new
>     domU, so as to locate hypercalls. Is it possible?
>
>     2015-08-06 17:49 GMT+08:00 Andrew Cooper
>     <andrew.cooper3@citrix.com <mailto:andrew.cooper3@citrix.com>>:
>
>         On 06/08/15 10:46, big strong wrote:
>>         The old version of Xen contains information about hypercall
>>         page like:
>>
>>         xl dmesg
>>         ......
>>         (XEN) HVM10: Allocated Xen hypercall page at 169ff000
>>         .......
>>
>>         But the new edition seems to miss this information.
>
>         Correct.  The information is not interesting or useful.
>
>>         How can I get the similar information then?
>
>         What are you trying to do?
>
>         ~Andrew
>
>
>


[-- Attachment #1.2: Type: text/html, Size: 4183 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[big strong]

[-- Attachment #1.1: Type: text/plain, Size: 1290 bytes --]

I think I've stated clearly what I want to do.

|I want to locate the hypercall page address when creating a new domU, so
as to locate hypercalls. Is it possible?

2015-08-07 21:06 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:

> On 07/08/15 02:52, big strong wrote:
>
> Or how can I get the address of hypercall page belonging to a running domU?
>
>
> Please do not top post.
>
> A domain may create an arbitrary quantity of hypercall pages, at any
> address of their choosing.
>
> You have not explained why you want this information.
>
> ~Andrew
>
>
> 2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com>:
>
>> I want to locate the hypercall page address when creating a new domU, so
>> as to locate hypercalls. Is it possible?
>>
>> 2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:
>>
>>> On 06/08/15 10:46, big strong wrote:
>>>
>>> The old version of Xen contains information about hypercall page like:
>>>
>>> xl dmesg
>>> ......
>>> (XEN) HVM10: Allocated Xen hypercall page at 169ff000
>>> .......
>>>
>>> But the new edition seems to miss this information.
>>>
>>>
>>> Correct.  The information is not interesting or useful.
>>>
>>> How can I get the similar information then?
>>>
>>>
>>> What are you trying to do?
>>>
>>> ~Andrew
>>>
>>
>>
>
>

[-- Attachment #1.2: Type: text/html, Size: 4361 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[Dario Faggioli]

[-- Attachment #1.1: Type: text/plain, Size: 514 bytes --]

On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
> I think I've stated clearly what I want to do.
>
Well...
> 
> |I want to locate the hypercall page address when creating a new domU,
> so as to locate hypercalls.
>
Ok. What for?

Dario

-- 
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[big strong]

[-- Attachment #1.1: Type: text/plain, Size: 894 bytes --]

My goal is to intercept hyprcalls to detect malicious calls. So I need
firstly find where the hypercalls are. My plan is to locate hypercall page
first, then walk through the hypercall page to get address of hyperccalls.
If there is any other solutions, please let me know. Thanks very much.

2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com>:

> On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
> > I think I've stated clearly what I want to do.
> >
> Well...
> >
> > |I want to locate the hypercall page address when creating a new domU,
> > so as to locate hypercalls.
> >
> Ok. What for?
>
> Dario
>
> --
> <<This happens because I choose it to happen!>> (Raistlin Majere)
> -----------------------------------------------------------------
> Dario Faggioli, Ph.D, http://about.me/dario.faggioli
> Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)
>

[-- Attachment #1.2: Type: text/html, Size: 1462 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[Andrew Cooper]

[-- Attachment #1.1: Type: text/plain, Size: 1374 bytes --]

On 11/08/15 03:44, big strong wrote:
> My goal is to intercept hyprcalls to detect malicious calls. So I need
> firstly find where the hypercalls are.

As I have said before, a guest may have an arbitrary number of hypercall
pages.  Furthermore, the hypercall page is merely a convenience; nothing
prevents a guest manually issuing hypercalls.

> My plan is to locate hypercall page first, then walk through the
> hypercall page to get address of hyperccalls. If there is any other
> solutions, please let me know. Thanks very much.

It sounds like you want VM introspection, but it doesn't work like
this.  try http://libvmi.com/ as a starting point.

~Andrew

>
> 2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com
> <mailto:dario.faggioli@citrix.com>>:
>
>     On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
>     > I think I've stated clearly what I want to do.
>     >
>     Well...
>     >
>     > |I want to locate the hypercall page address when creating a new
>     domU,
>     > so as to locate hypercalls.
>     >
>     Ok. What for?
>
>     Dario
>
>     --
>     <<This happens because I choose it to happen!>> (Raistlin Majere)
>     -----------------------------------------------------------------
>     Dario Faggioli, Ph.D, http://about.me/dario.faggioli
>     Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)
>
>


[-- Attachment #1.2: Type: text/html, Size: 3243 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: how can I find hypercall page address?

[big strong]

[-- Attachment #1.1: Type: text/plain, Size: 1799 bytes --]

Sorry for replying so late. Libvmi is used to substract information of
guest, such as system calls. But I don't think it can be used to intercept
hypercalls as hypercall is a behavior between guest and hypervisor while
syscall is a behavior between guest applications and guest kernel. Anyway,
trying to intercept hypercalls need firstly locate the address of
hypercalls. Could you provides any hints any that?

2015-08-11 17:21 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:

> On 11/08/15 03:44, big strong wrote:
>
> My goal is to intercept hyprcalls to detect malicious calls. So I need
> firstly find where the hypercalls are.
>
>
> As I have said before, a guest may have an arbitrary number of hypercall
> pages.  Furthermore, the hypercall page is merely a convenience; nothing
> prevents a guest manually issuing hypercalls.
>
> My plan is to locate hypercall page first, then walk through the hypercall
> page to get address of hyperccalls. If there is any other solutions, please
> let me know. Thanks very much.
>
>
> It sounds like you want VM introspection, but it doesn't work like this.
> try http://libvmi.com/ as a starting point.
>
> ~Andrew
>
>
> 2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com>:
>
>> On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
>> > I think I've stated clearly what I want to do.
>> >
>> Well...
>> >
>> > |I want to locate the hypercall page address when creating a new domU,
>> > so as to locate hypercalls.
>> >
>> Ok. What for?
>>
>> Dario
>>
>> --
>> <<This happens because I choose it to happen!>> (Raistlin Majere)
>> -----------------------------------------------------------------
>> Dario Faggioli, Ph.D, http://about.me/dario.faggioli
>> Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)
>>
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 3545 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel