On 11/08/15 03:44, big strong wrote:
> My goal is to intercept hyprcalls to detect malicious calls. So I need
> firstly find where the hypercalls are.

As I have said before, a guest may have an arbitrary number of hypercall
pages.  Furthermore, the hypercall page is merely a convenience; nothing
prevents a guest manually issuing hypercalls.

> My plan is to locate hypercall page first, then walk through the
> hypercall page to get address of hyperccalls. If there is any other
> solutions, please let me know. Thanks very much.

It sounds like you want VM introspection, but it doesn't work like
this.  try http://libvmi.com/ as a starting point.

~Andrew

>
> 2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com
> <mailto:dario.faggioli@citrix.com>>:
>
>     On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
>     > I think I've stated clearly what I want to do.
>     >
>     Well...
>     >
>     > |I want to locate the hypercall page address when creating a new
>     domU,
>     > so as to locate hypercalls.
>     >
>     Ok. What for?
>
>     Dario
>
>     --
>     <<This happens because I choose it to happen!>> (Raistlin Majere)
>     -----------------------------------------------------------------
>     Dario Faggioli, Ph.D, http://about.me/dario.faggioli
>     Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)
>
>