On 13/04/16 09:55, Corneliu ZUZU
wrote:
That seems to apply to single-stepping only, which would be a
different matter. As for stealthiness or not limiting the guest,
IMO that shouldn't be a problem with BKPT/BRK, since I believe
you can inject the breakpoint exception into the guest as if no
hypervisor trap occured in between (of course, once you decide
whether that breakpoint is Xen's or guest-internal). But what
about X86? How is stealthiness achieved there? Is INT3 entirely
not available for the guest anymore when guest-debugging is
enabled or are ALL INT3's reported by Xen as software breakpoint
vm-events?
In x86, attaching a debugger to the domain causes #DB and #BP
exceptions to be intercepted by Xen, rather than handled directly
by the domain (actually, since XSA-156, #DB is intercepted under
all circumstances, to avoid security issues). The debugger
receives all debug events, and should filer the ones it has
introduced vs the ones present from in-guest activities.
~Andrew
(Whether this works or not is a separate matter, and largely
depends on the debugger.)