From mboxrd@z Thu Jan 1 00:00:00 1970 From: big strong Subject: how can I find hypercall page address? Date: Thu, 6 Aug 2015 17:46:30 +0800 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2638660291363007362==" Return-path: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============2638660291363007362== Content-Type: multipart/alternative; boundary=001a11349486d2c206051ca16401 --001a11349486d2c206051ca16401 Content-Type: text/plain; charset=UTF-8 The old version of Xen contains information about hypercall page like: xl dmesg ...... (XEN) HVM10: Allocated Xen hypercall page at 169ff000 ....... But the new edition seems to miss this information. How can I get the similar information then? --001a11349486d2c206051ca16401 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

The old version of Xen contains information about hypercal= l page like:

xl dmesg

......

(XEN) H= VM10: Allocated Xen hypercall page at 169ff000

.......

But the new edition seems to miss this information. How can = I get the similar information then?

--001a11349486d2c206051ca16401-- --===============2638660291363007362== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============2638660291363007362==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: how can I find hypercall page address? Date: Thu, 6 Aug 2015 10:49:40 +0100 Message-ID: <55C32DB4.6020203@citrix.com> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6830589592296464664==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: big strong , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============6830589592296464664== Content-Type: multipart/alternative; boundary="------------070301010107020407050007" --------------070301010107020407050007 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit On 06/08/15 10:46, big strong wrote: > The old version of Xen contains information about hypercall page like: > > xl dmesg > ...... > (XEN) HVM10: Allocated Xen hypercall page at 169ff000 > ....... > > But the new edition seems to miss this information. Correct. The information is not interesting or useful. > How can I get the similar information then? What are you trying to do? ~Andrew --------------070301010107020407050007 Content-Type: text/html; charset="windows-1252" Content-Length: 1341 Content-Transfer-Encoding: quoted-printable

On 06/08/15 10:46, big strong wrote:

The old version of Xen contains information about hypercall page like:

xl dmesg

......

(XEN) HVM10: Allocated Xen hypercall page at 169ff000

.......

But the new edition seems to miss this information.

Correct.=A0 The information is not interesting or useful.

How can I get the similar information then=3F

What are you trying to do=3F

~Andrew
--------------070301010107020407050007-- --===============6830589592296464664== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============6830589592296464664==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: big strong Subject: Re: how can I find hypercall page address? Date: Fri, 7 Aug 2015 09:45:43 +0800 Message-ID: References: <55C32DB4.6020203@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7885472977541018490==" Return-path: In-Reply-To: <55C32DB4.6020203@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============7885472977541018490== Content-Type: multipart/alternative; boundary=001a11348f30488377051caecb22 --001a11348f30488377051caecb22 Content-Type: text/plain; charset=UTF-8 I want to locate the hypercall page address when creating a new domU, so as to locate hypercalls. Is it possible? 2015-08-06 17:49 GMT+08:00 Andrew Cooper : > On 06/08/15 10:46, big strong wrote: > > The old version of Xen contains information about hypercall page like: > > xl dmesg > ...... > (XEN) HVM10: Allocated Xen hypercall page at 169ff000 > ....... > > But the new edition seems to miss this information. > > > Correct. The information is not interesting or useful. > > How can I get the similar information then? > > > What are you trying to do? > > ~Andrew > --001a11348f30488377051caecb22 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

I want to locate the hypercall page address when creating = a new domU, so as to locate hypercalls. Is it possible?

2015-08-06 17:49 GMT+08:00 Andr= ew Cooper <andrew.cooper3@citrix.com>:
=20 =20 =20

On 06/08/15 10:46, big strong wrote:

=20
The old version of Xen contains information about hypercall page like:

xl dmesg

......

(XEN) HVM10: Allocated Xen hypercall page at 169ff000

.......

But the new edition seems to miss this information.

Correct.=C2=A0 The information is not interesting or useful.

How can I get the similar information then?

What are you trying to do?

~Andrew

--001a11348f30488377051caecb22-- --===============7885472977541018490== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============7885472977541018490==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: big strong Subject: Re: how can I find hypercall page address? Date: Fri, 7 Aug 2015 09:52:44 +0800 Message-ID: References: <55C32DB4.6020203@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3199759437150525117==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============3199759437150525117== Content-Type: multipart/alternative; boundary=001a11c3edda5bdd9b051caee449 --001a11c3edda5bdd9b051caee449 Content-Type: text/plain; charset=UTF-8 Or how can I get the address of hypercall page belonging to a running domU? 2015-08-07 9:45 GMT+08:00 big strong : > I want to locate the hypercall page address when creating a new domU, so > as to locate hypercalls. Is it possible? > > 2015-08-06 17:49 GMT+08:00 Andrew Cooper : > >> On 06/08/15 10:46, big strong wrote: >> >> The old version of Xen contains information about hypercall page like: >> >> xl dmesg >> ...... >> (XEN) HVM10: Allocated Xen hypercall page at 169ff000 >> ....... >> >> But the new edition seems to miss this information. >> >> >> Correct. The information is not interesting or useful. >> >> How can I get the similar information then? >> >> >> What are you trying to do? >> >> ~Andrew >> > > --001a11c3edda5bdd9b051caee449 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Or how can I get the address of hypercall page belonging t= o a running domU?

2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com><= /span>:

I want to locate= the hypercall page address when creating a new domU, so as to locate hyper= calls. Is it possible?

2015-08-06 17:49 GMT+08:= 00 Andrew Cooper <andrew.cooper3@citrix.com>:
=20 =20 =20

On 06/08/15 10:46, big strong wrote:

=20
The old version of Xen contains information about hypercall page like:

xl dmesg

......

(XEN) HVM10: Allocated Xen hypercall page at 169ff000

.......

But the new edition seems to miss this information.

Correct.=C2=A0 The information is not interesting or useful.

How can I get the similar information then?

What are you trying to do?

~Andrew

--001a11c3edda5bdd9b051caee449-- --===============3199759437150525117== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============3199759437150525117==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: how can I find hypercall page address? Date: Fri, 7 Aug 2015 14:06:32 +0100 Message-ID: <55C4AD58.5060300@citrix.com> References: <55C32DB4.6020203@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5609940731476105695==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: big strong Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============5609940731476105695== Content-Type: multipart/alternative; boundary="------------050206020503090909050404" --------------050206020503090909050404 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 07/08/15 02:52, big strong wrote: > Or how can I get the address of hypercall page belonging to a running > domU? Please do not top post. A domain may create an arbitrary quantity of hypercall pages, at any address of their choosing. You have not explained why you want this information. ~Andrew > > 2015-08-07 9:45 GMT+08:00 big strong >: > > I want to locate the hypercall page address when creating a new > domU, so as to locate hypercalls. Is it possible? > > 2015-08-06 17:49 GMT+08:00 Andrew Cooper > >: > > On 06/08/15 10:46, big strong wrote: >> The old version of Xen contains information about hypercall >> page like: >> >> xl dmesg >> ...... >> (XEN) HVM10: Allocated Xen hypercall page at 169ff000 >> ....... >> >> But the new edition seems to miss this information. > > Correct. The information is not interesting or useful. > >> How can I get the similar information then? > > What are you trying to do? > > ~Andrew > > > --------------050206020503090909050404 Content-Type: text/html; charset="utf-8" Content-Length: 4285 Content-Transfer-Encoding: quoted-printable

On 07/08/15 02:52, big strong wrote:

Or how can I get the address of hypercall page belonging to a running domU=3F

Please do not top post.

A domain may create an arbitrary quantity of hypercall pages, at any address of their choosing.

You have not explained why you want this information.

~Andrew

2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com>:

I want to locate the hypercall page address when creating a new domU, so as to locate hypercalls. Is it possible=3F

2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>:

On 06/08/15 10:46, big strong wrote:

The old version of Xen contains information about hypercall page like:

xl dmesg

......

(XEN) HVM10: Allocated Xen hypercall page at 169ff000

.......

But the new edition seems to miss this information.

Correct.=C2=A0 The information is not interesting or useful.

How can I get the similar information then=3F

What are you trying to do=3F

~Andrew

--------------050206020503090909050404-- --===============5609940731476105695== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============5609940731476105695==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: big strong Subject: Re: how can I find hypercall page address? Date: Sat, 8 Aug 2015 08:02:07 +0800 Message-ID: References: <55C32DB4.6020203@citrix.com> <55C4AD58.5060300@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2335003792242121960==" Return-path: In-Reply-To: <55C4AD58.5060300@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============2335003792242121960== Content-Type: multipart/alternative; boundary=001a11c3a0449dfc39051cc1760f --001a11c3a0449dfc39051cc1760f Content-Type: text/plain; charset=UTF-8 I think I've stated clearly what I want to do. |I want to locate the hypercall page address when creating a new domU, so as to locate hypercalls. Is it possible? 2015-08-07 21:06 GMT+08:00 Andrew Cooper : > On 07/08/15 02:52, big strong wrote: > > Or how can I get the address of hypercall page belonging to a running domU? > > > Please do not top post. > > A domain may create an arbitrary quantity of hypercall pages, at any > address of their choosing. > > You have not explained why you want this information. > > ~Andrew > > > 2015-08-07 9:45 GMT+08:00 big strong : > >> I want to locate the hypercall page address when creating a new domU, so >> as to locate hypercalls. Is it possible? >> >> 2015-08-06 17:49 GMT+08:00 Andrew Cooper : >> >>> On 06/08/15 10:46, big strong wrote: >>> >>> The old version of Xen contains information about hypercall page like: >>> >>> xl dmesg >>> ...... >>> (XEN) HVM10: Allocated Xen hypercall page at 169ff000 >>> ....... >>> >>> But the new edition seems to miss this information. >>> >>> >>> Correct. The information is not interesting or useful. >>> >>> How can I get the similar information then? >>> >>> >>> What are you trying to do? >>> >>> ~Andrew >>> >> >> > > --001a11c3a0449dfc39051cc1760f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

I think I've state= d clearly what I want to do.

|I want to locate the hyp= ercall page address when creating a new domU, so as to locate hypercalls. I= s it possible?

2015-08-07 21:06 GMT+08:00 Andrew Cooper <andrew.cooper3@c= itrix.com>:

=20 =20 =20

On 07/08/15 02:52, big strong wrote:

=20
Or how can I get the address of hypercall page belonging to a running domU?

Please do not top post.

A domain may create an arbitrary quantity of hypercall pages, at any address of their choosing.

You have not explained why you want this information.

~Andrew

2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com>:

I want to locate the hypercall page address when creating a new domU, so as to locate hypercalls. Is it possible?

2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com&g= t;:

On 06/08/15 10:46, big strong wrote:

The old version of Xen contains information about hypercall page like:

xl dmesg

......

(XEN) HVM10: Allocated Xen hypercall page at 169ff000

.......

But the new edition seems to miss this information.

Correct.=C2=A0 The information is not interesting or useful.

How can I get the similar information then?

What are you trying to do?

~Andrew

--001a11c3a0449dfc39051cc1760f-- --===============2335003792242121960== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============2335003792242121960==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dario Faggioli Subject: Re: how can I find hypercall page address? Date: Mon, 10 Aug 2015 17:04:18 +0200 Message-ID: <1439219058.24583.4.camel@citrix.com> References: <55C32DB4.6020203@citrix.com> <55C4AD58.5060300@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3640773705879335045==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: big strong Cc: Andrew Cooper , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============3640773705879335045== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-l2lLC4V2iz7pNtAXjTeJ" --=-l2lLC4V2iz7pNtAXjTeJ Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: > I think I've stated clearly what I want to do. > Well... >=20 > |I want to locate the hypercall page address when creating a new domU, > so as to locate hypercalls. > Ok. What for? Dario --=20 <> (Raistlin Majere) ----------------------------------------------------------------- Dario Faggioli, Ph.D, http://about.me/dario.faggioli Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) --=-l2lLC4V2iz7pNtAXjTeJ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEABECAAYFAlXIvXIACgkQk4XaBE3IOsQeawCdFLA+o5SxupvvVJbcxKbn2S/F 2tIAniTZbuiRq4w8Yzo4ZTgPVNo+ljsg =FYvN -----END PGP SIGNATURE----- --=-l2lLC4V2iz7pNtAXjTeJ-- --===============3640773705879335045== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============3640773705879335045==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: big strong Subject: Re: how can I find hypercall page address? Date: Tue, 11 Aug 2015 10:44:29 +0800 Message-ID: References: <55C32DB4.6020203@citrix.com> <55C4AD58.5060300@citrix.com> <1439219058.24583.4.camel@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3187048650057837920==" Return-path: In-Reply-To: <1439219058.24583.4.camel@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Dario Faggioli Cc: Andrew Cooper , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============3187048650057837920== Content-Type: multipart/alternative; boundary=001a11349f9ec67410051d0014ea --001a11349f9ec67410051d0014ea Content-Type: text/plain; charset=UTF-8 My goal is to intercept hyprcalls to detect malicious calls. So I need firstly find where the hypercalls are. My plan is to locate hypercall page first, then walk through the hypercall page to get address of hyperccalls. If there is any other solutions, please let me know. Thanks very much. 2015-08-10 23:04 GMT+08:00 Dario Faggioli : > On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: > > I think I've stated clearly what I want to do. > > > Well... > > > > |I want to locate the hypercall page address when creating a new domU, > > so as to locate hypercalls. > > > Ok. What for? > > Dario > > -- > <> (Raistlin Majere) > ----------------------------------------------------------------- > Dario Faggioli, Ph.D, http://about.me/dario.faggioli > Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) > --001a11349f9ec67410051d0014ea Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

My goal is to intercept hyprcalls to detect malicious call= s. So I need firstly find where the hypercalls are. My plan is to locate hy= percall page first, then walk through the hypercall page to get address of = hyperccalls. If there is any other solutions, please let me know. Thanks ve= ry much.

201= 5-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com<= /a>>:

On Sat, = 2015-08-08 at 08:02 +0800, big strong wrote:
> I think I've stated clearly what I want to do.
>
Well...
>
> |I want to locate the hypercall page address when creating a new domU,=
> so as to locate hypercalls.
>
Ok. What for?

Dario

--
<<This happens because I choose it to happen!>> (Raistlin Majer= e)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

--001a11349f9ec67410051d0014ea-- --===============3187048650057837920== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============3187048650057837920==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: how can I find hypercall page address? Date: Tue, 11 Aug 2015 10:21:23 +0100 Message-ID: <55C9BE93.7010203@citrix.com> References: <55C32DB4.6020203@citrix.com> <55C4AD58.5060300@citrix.com> <1439219058.24583.4.camel@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7454157565080369927==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: big strong , Dario Faggioli Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============7454157565080369927== Content-Type: multipart/alternative; boundary="------------010803020004020601030904" --------------010803020004020601030904 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 11/08/15 03:44, big strong wrote: > My goal is to intercept hyprcalls to detect malicious calls. So I need > firstly find where the hypercalls are. As I have said before, a guest may have an arbitrary number of hypercall pages. Furthermore, the hypercall page is merely a convenience; nothing prevents a guest manually issuing hypercalls. > My plan is to locate hypercall page first, then walk through the > hypercall page to get address of hyperccalls. If there is any other > solutions, please let me know. Thanks very much. It sounds like you want VM introspection, but it doesn't work like this. try http://libvmi.com/ as a starting point. ~Andrew > > 2015-08-10 23:04 GMT+08:00 Dario Faggioli >: > > On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: > > I think I've stated clearly what I want to do. > > > Well... > > > > |I want to locate the hypercall page address when creating a new > domU, > > so as to locate hypercalls. > > > Ok. What for? > > Dario > > -- > <> (Raistlin Majere) > ----------------------------------------------------------------- > Dario Faggioli, Ph.D, http://about.me/dario.faggioli > Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) > > --------------010803020004020601030904 Content-Type: text/html; charset="utf-8" Content-Length: 3325 Content-Transfer-Encoding: quoted-printable

On 11/08/15 03:44, big strong wrote:

My goal is to intercept hyprcalls to detect malicious calls. So I need firstly find where the hypercalls are.

As I have said before, a guest may have an arbitrary number of hypercall pages.=C2=A0 Furthermore, the hypercall page is merely a convenience; nothing prevents a guest manually issuing hypercalls.

My plan is to locate hypercall page first, then walk through the hypercall page to get address of hyperccalls. If there is any other solutions, please let me know. Thanks very much.

It sounds like you want VM introspection, but it doesn't work like this.=C2=A0 try http://libvmi.com/ as a starting point.

~Andrew

2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com>:

On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
> I think I've stated clearly what I want to do.
>
Well...
>
> |I want to locate the hypercall page address when creating a new domU,
> so as to locate hypercalls.
>
Ok. What for=3F

Dario

--
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

--------------010803020004020601030904-- --===============7454157565080369927== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============7454157565080369927==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: big strong Subject: Re: how can I find hypercall page address? Date: Fri, 14 Aug 2015 11:13:38 +0800 Message-ID: References: <55C32DB4.6020203@citrix.com> <55C4AD58.5060300@citrix.com> <1439219058.24583.4.camel@citrix.com> <55C9BE93.7010203@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4487530494504374018==" Return-path: In-Reply-To: <55C9BE93.7010203@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper Cc: Dario Faggioli , xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============4487530494504374018== Content-Type: multipart/alternative; boundary=001a11349f9e9796b1051d3cd60b --001a11349f9e9796b1051d3cd60b Content-Type: text/plain; charset=UTF-8 Sorry for replying so late. Libvmi is used to substract information of guest, such as system calls. But I don't think it can be used to intercept hypercalls as hypercall is a behavior between guest and hypervisor while syscall is a behavior between guest applications and guest kernel. Anyway, trying to intercept hypercalls need firstly locate the address of hypercalls. Could you provides any hints any that? 2015-08-11 17:21 GMT+08:00 Andrew Cooper : > On 11/08/15 03:44, big strong wrote: > > My goal is to intercept hyprcalls to detect malicious calls. So I need > firstly find where the hypercalls are. > > > As I have said before, a guest may have an arbitrary number of hypercall > pages. Furthermore, the hypercall page is merely a convenience; nothing > prevents a guest manually issuing hypercalls. > > My plan is to locate hypercall page first, then walk through the hypercall > page to get address of hyperccalls. If there is any other solutions, please > let me know. Thanks very much. > > > It sounds like you want VM introspection, but it doesn't work like this. > try http://libvmi.com/ as a starting point. > > ~Andrew > > > 2015-08-10 23:04 GMT+08:00 Dario Faggioli : > >> On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: >> > I think I've stated clearly what I want to do. >> > >> Well... >> > >> > |I want to locate the hypercall page address when creating a new domU, >> > so as to locate hypercalls. >> > >> Ok. What for? >> >> Dario >> >> -- >> <> (Raistlin Majere) >> ----------------------------------------------------------------- >> Dario Faggioli, Ph.D, http://about.me/dario.faggioli >> Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) >> > > > --001a11349f9e9796b1051d3cd60b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Sorry for replying so late. Libvmi is used to substract in= formation of guest, such as system calls. But I don't think it can be u= sed to intercept hypercalls as hypercall is a behavior between guest and hy= pervisor while syscall is a behavior between guest applications and guest k= ernel. Anyway, trying to intercept hypercalls need firstly locate the addre= ss of hypercalls. Could you provides any hints any that?=C2=A0

2015-08-11 17:21 GMT+08:= 00 Andrew Cooper <andrew.cooper3@citrix.com>:
=20 =20 =20

On 11/08/15 03:44, big strong wrote:

=20
My goal is to intercept hyprcalls to detect malicious calls. So I need firstly find where the hypercalls are.

As I have said before, a guest may have an arbitrary number of hypercall pages.=C2=A0 Furthermore, the hypercall page is merely a convenience; nothing prevents a guest manually issuing hypercalls.

My plan is to locate hypercall page first, then walk through the hypercall page to get address of hyperccalls. If there is any other solutions, please let me know. Thanks very much.

It sounds like you want VM introspection, but it doesn't work like this.=C2=A0 try http:/= /libvmi.com/ as a starting point.

~Andrew

2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com>:

On Sat, 2015-08-08 at 08:02 = +0800, big strong wrote:
> I think I've stated clearly what I want to do.
>
Well...
>
> |I want to locate the hypercall page address when creating a new domU,
> so as to locate hypercalls.
>
Ok. What for?

Dario

--
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

--001a11349f9e9796b1051d3cd60b-- --===============4487530494504374018== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============4487530494504374018==--