From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cooper Subject: Re: how can I find hypercall page address? Date: Tue, 11 Aug 2015 10:21:23 +0100 Message-ID: <55C9BE93.7010203@citrix.com> References: <55C32DB4.6020203@citrix.com> <55C4AD58.5060300@citrix.com> <1439219058.24583.4.camel@citrix.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7454157565080369927==" Return-path: In-Reply-To: List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: big strong , Dario Faggioli Cc: xen-devel@lists.xen.org List-Id: xen-devel@lists.xenproject.org --===============7454157565080369927== Content-Type: multipart/alternative; boundary="------------010803020004020601030904" --------------010803020004020601030904 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit On 11/08/15 03:44, big strong wrote: > My goal is to intercept hyprcalls to detect malicious calls. So I need > firstly find where the hypercalls are. As I have said before, a guest may have an arbitrary number of hypercall pages. Furthermore, the hypercall page is merely a convenience; nothing prevents a guest manually issuing hypercalls. > My plan is to locate hypercall page first, then walk through the > hypercall page to get address of hyperccalls. If there is any other > solutions, please let me know. Thanks very much. It sounds like you want VM introspection, but it doesn't work like this. try http://libvmi.com/ as a starting point. ~Andrew > > 2015-08-10 23:04 GMT+08:00 Dario Faggioli >: > > On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: > > I think I've stated clearly what I want to do. > > > Well... > > > > |I want to locate the hypercall page address when creating a new > domU, > > so as to locate hypercalls. > > > Ok. What for? > > Dario > > -- > <> (Raistlin Majere) > ----------------------------------------------------------------- > Dario Faggioli, Ph.D, http://about.me/dario.faggioli > Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) > > --------------010803020004020601030904 Content-Type: text/html; charset="utf-8" Content-Length: 3325 Content-Transfer-Encoding: quoted-printable

On 11/08/15 03:44, big strong wrote:

My goal is to intercept hyprcalls to detect malicious calls. So I need firstly find where the hypercalls are.

As I have said before, a guest may have an arbitrary number of hypercall pages.=C2=A0 Furthermore, the hypercall page is merely a convenience; nothing prevents a guest manually issuing hypercalls.

My plan is to locate hypercall page first, then walk through the hypercall page to get address of hyperccalls. If there is any other solutions, please let me know. Thanks very much.

It sounds like you want VM introspection, but it doesn't work like this.=C2=A0 try http://libvmi.com/ as a starting point.

~Andrew

2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com>:

On Sat, 2015-08-08 at 08:02 +0800, big strong wrote:
> I think I've stated clearly what I want to do.
>
Well...
>
> |I want to locate the hypercall page address when creating a new domU,
> so as to locate hypercalls.
>
Ok. What for=3F

Dario

--
<<This happens because I choose it to happen!>> (Raistlin Majere)
-----------------------------------------------------------------
Dario Faggioli, Ph.D, http://about.me/dario.faggioli
Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK)

--------------010803020004020601030904-- --===============7454157565080369927== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============7454157565080369927==--