* how can I find hypercall page address? @ 2015-08-06 9:46 big strong 2015-08-06 9:49 ` Andrew Cooper 0 siblings, 1 reply; 10+ messages in thread From: big strong @ 2015-08-06 9:46 UTC (permalink / raw) To: xen-devel [-- Attachment #1.1: Type: text/plain, Size: 247 bytes --] The old version of Xen contains information about hypercall page like: xl dmesg ...... (XEN) HVM10: Allocated Xen hypercall page at 169ff000 ....... But the new edition seems to miss this information. How can I get the similar information then? [-- Attachment #1.2: Type: text/html, Size: 347 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-06 9:46 how can I find hypercall page address? big strong @ 2015-08-06 9:49 ` Andrew Cooper 2015-08-07 1:45 ` big strong 0 siblings, 1 reply; 10+ messages in thread From: Andrew Cooper @ 2015-08-06 9:49 UTC (permalink / raw) To: big strong, xen-devel [-- Attachment #1.1: Type: text/plain, Size: 395 bytes --] On 06/08/15 10:46, big strong wrote: > The old version of Xen contains information about hypercall page like: > > xl dmesg > ...... > (XEN) HVM10: Allocated Xen hypercall page at 169ff000 > ....... > > But the new edition seems to miss this information. Correct. The information is not interesting or useful. > How can I get the similar information then? What are you trying to do? ~Andrew [-- Attachment #1.2: Type: text/html, Size: 1303 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-06 9:49 ` Andrew Cooper @ 2015-08-07 1:45 ` big strong 2015-08-07 1:52 ` big strong 0 siblings, 1 reply; 10+ messages in thread From: big strong @ 2015-08-07 1:45 UTC (permalink / raw) To: Andrew Cooper; +Cc: xen-devel [-- Attachment #1.1: Type: text/plain, Size: 601 bytes --] I want to locate the hypercall page address when creating a new domU, so as to locate hypercalls. Is it possible? 2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>: > On 06/08/15 10:46, big strong wrote: > > The old version of Xen contains information about hypercall page like: > > xl dmesg > ...... > (XEN) HVM10: Allocated Xen hypercall page at 169ff000 > ....... > > But the new edition seems to miss this information. > > > Correct. The information is not interesting or useful. > > How can I get the similar information then? > > > What are you trying to do? > > ~Andrew > [-- Attachment #1.2: Type: text/html, Size: 1503 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-07 1:45 ` big strong @ 2015-08-07 1:52 ` big strong 2015-08-07 13:06 ` Andrew Cooper 0 siblings, 1 reply; 10+ messages in thread From: big strong @ 2015-08-07 1:52 UTC (permalink / raw) To: Andrew Cooper; +Cc: xen-devel [-- Attachment #1.1: Type: text/plain, Size: 772 bytes --] Or how can I get the address of hypercall page belonging to a running domU? 2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com>: > I want to locate the hypercall page address when creating a new domU, so > as to locate hypercalls. Is it possible? > > 2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>: > >> On 06/08/15 10:46, big strong wrote: >> >> The old version of Xen contains information about hypercall page like: >> >> xl dmesg >> ...... >> (XEN) HVM10: Allocated Xen hypercall page at 169ff000 >> ....... >> >> But the new edition seems to miss this information. >> >> >> Correct. The information is not interesting or useful. >> >> How can I get the similar information then? >> >> >> What are you trying to do? >> >> ~Andrew >> > > [-- Attachment #1.2: Type: text/html, Size: 1950 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-07 1:52 ` big strong @ 2015-08-07 13:06 ` Andrew Cooper 2015-08-08 0:02 ` big strong 0 siblings, 1 reply; 10+ messages in thread From: Andrew Cooper @ 2015-08-07 13:06 UTC (permalink / raw) To: big strong; +Cc: xen-devel [-- Attachment #1.1: Type: text/plain, Size: 1170 bytes --] On 07/08/15 02:52, big strong wrote: > Or how can I get the address of hypercall page belonging to a running > domU? Please do not top post. A domain may create an arbitrary quantity of hypercall pages, at any address of their choosing. You have not explained why you want this information. ~Andrew > > 2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com > <mailto:fangtuo90@gmail.com>>: > > I want to locate the hypercall page address when creating a new > domU, so as to locate hypercalls. Is it possible? > > 2015-08-06 17:49 GMT+08:00 Andrew Cooper > <andrew.cooper3@citrix.com <mailto:andrew.cooper3@citrix.com>>: > > On 06/08/15 10:46, big strong wrote: >> The old version of Xen contains information about hypercall >> page like: >> >> xl dmesg >> ...... >> (XEN) HVM10: Allocated Xen hypercall page at 169ff000 >> ....... >> >> But the new edition seems to miss this information. > > Correct. The information is not interesting or useful. > >> How can I get the similar information then? > > What are you trying to do? > > ~Andrew > > > [-- Attachment #1.2: Type: text/html, Size: 4183 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-07 13:06 ` Andrew Cooper @ 2015-08-08 0:02 ` big strong 2015-08-10 15:04 ` Dario Faggioli 0 siblings, 1 reply; 10+ messages in thread From: big strong @ 2015-08-08 0:02 UTC (permalink / raw) To: Andrew Cooper; +Cc: xen-devel [-- Attachment #1.1: Type: text/plain, Size: 1290 bytes --] I think I've stated clearly what I want to do. |I want to locate the hypercall page address when creating a new domU, so as to locate hypercalls. Is it possible? 2015-08-07 21:06 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>: > On 07/08/15 02:52, big strong wrote: > > Or how can I get the address of hypercall page belonging to a running domU? > > > Please do not top post. > > A domain may create an arbitrary quantity of hypercall pages, at any > address of their choosing. > > You have not explained why you want this information. > > ~Andrew > > > 2015-08-07 9:45 GMT+08:00 big strong <fangtuo90@gmail.com>: > >> I want to locate the hypercall page address when creating a new domU, so >> as to locate hypercalls. Is it possible? >> >> 2015-08-06 17:49 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>: >> >>> On 06/08/15 10:46, big strong wrote: >>> >>> The old version of Xen contains information about hypercall page like: >>> >>> xl dmesg >>> ...... >>> (XEN) HVM10: Allocated Xen hypercall page at 169ff000 >>> ....... >>> >>> But the new edition seems to miss this information. >>> >>> >>> Correct. The information is not interesting or useful. >>> >>> How can I get the similar information then? >>> >>> >>> What are you trying to do? >>> >>> ~Andrew >>> >> >> > > [-- Attachment #1.2: Type: text/html, Size: 4361 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-08 0:02 ` big strong @ 2015-08-10 15:04 ` Dario Faggioli 2015-08-11 2:44 ` big strong 0 siblings, 1 reply; 10+ messages in thread From: Dario Faggioli @ 2015-08-10 15:04 UTC (permalink / raw) To: big strong; +Cc: Andrew Cooper, xen-devel [-- Attachment #1.1: Type: text/plain, Size: 514 bytes --] On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: > I think I've stated clearly what I want to do. > Well... > > |I want to locate the hypercall page address when creating a new domU, > so as to locate hypercalls. > Ok. What for? Dario -- <<This happens because I choose it to happen!>> (Raistlin Majere) ----------------------------------------------------------------- Dario Faggioli, Ph.D, http://about.me/dario.faggioli Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) [-- Attachment #1.2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 181 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-10 15:04 ` Dario Faggioli @ 2015-08-11 2:44 ` big strong 2015-08-11 9:21 ` Andrew Cooper 0 siblings, 1 reply; 10+ messages in thread From: big strong @ 2015-08-11 2:44 UTC (permalink / raw) To: Dario Faggioli; +Cc: Andrew Cooper, xen-devel [-- Attachment #1.1: Type: text/plain, Size: 894 bytes --] My goal is to intercept hyprcalls to detect malicious calls. So I need firstly find where the hypercalls are. My plan is to locate hypercall page first, then walk through the hypercall page to get address of hyperccalls. If there is any other solutions, please let me know. Thanks very much. 2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com>: > On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: > > I think I've stated clearly what I want to do. > > > Well... > > > > |I want to locate the hypercall page address when creating a new domU, > > so as to locate hypercalls. > > > Ok. What for? > > Dario > > -- > <<This happens because I choose it to happen!>> (Raistlin Majere) > ----------------------------------------------------------------- > Dario Faggioli, Ph.D, http://about.me/dario.faggioli > Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) > [-- Attachment #1.2: Type: text/html, Size: 1462 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-11 2:44 ` big strong @ 2015-08-11 9:21 ` Andrew Cooper 2015-08-14 3:13 ` big strong 0 siblings, 1 reply; 10+ messages in thread From: Andrew Cooper @ 2015-08-11 9:21 UTC (permalink / raw) To: big strong, Dario Faggioli; +Cc: xen-devel [-- Attachment #1.1: Type: text/plain, Size: 1374 bytes --] On 11/08/15 03:44, big strong wrote: > My goal is to intercept hyprcalls to detect malicious calls. So I need > firstly find where the hypercalls are. As I have said before, a guest may have an arbitrary number of hypercall pages. Furthermore, the hypercall page is merely a convenience; nothing prevents a guest manually issuing hypercalls. > My plan is to locate hypercall page first, then walk through the > hypercall page to get address of hyperccalls. If there is any other > solutions, please let me know. Thanks very much. It sounds like you want VM introspection, but it doesn't work like this. try http://libvmi.com/ as a starting point. ~Andrew > > 2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com > <mailto:dario.faggioli@citrix.com>>: > > On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: > > I think I've stated clearly what I want to do. > > > Well... > > > > |I want to locate the hypercall page address when creating a new > domU, > > so as to locate hypercalls. > > > Ok. What for? > > Dario > > -- > <<This happens because I choose it to happen!>> (Raistlin Majere) > ----------------------------------------------------------------- > Dario Faggioli, Ph.D, http://about.me/dario.faggioli > Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) > > [-- Attachment #1.2: Type: text/html, Size: 3243 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how can I find hypercall page address? 2015-08-11 9:21 ` Andrew Cooper @ 2015-08-14 3:13 ` big strong 0 siblings, 0 replies; 10+ messages in thread From: big strong @ 2015-08-14 3:13 UTC (permalink / raw) To: Andrew Cooper; +Cc: Dario Faggioli, xen-devel [-- Attachment #1.1: Type: text/plain, Size: 1799 bytes --] Sorry for replying so late. Libvmi is used to substract information of guest, such as system calls. But I don't think it can be used to intercept hypercalls as hypercall is a behavior between guest and hypervisor while syscall is a behavior between guest applications and guest kernel. Anyway, trying to intercept hypercalls need firstly locate the address of hypercalls. Could you provides any hints any that? 2015-08-11 17:21 GMT+08:00 Andrew Cooper <andrew.cooper3@citrix.com>: > On 11/08/15 03:44, big strong wrote: > > My goal is to intercept hyprcalls to detect malicious calls. So I need > firstly find where the hypercalls are. > > > As I have said before, a guest may have an arbitrary number of hypercall > pages. Furthermore, the hypercall page is merely a convenience; nothing > prevents a guest manually issuing hypercalls. > > My plan is to locate hypercall page first, then walk through the hypercall > page to get address of hyperccalls. If there is any other solutions, please > let me know. Thanks very much. > > > It sounds like you want VM introspection, but it doesn't work like this. > try http://libvmi.com/ as a starting point. > > ~Andrew > > > 2015-08-10 23:04 GMT+08:00 Dario Faggioli <dario.faggioli@citrix.com>: > >> On Sat, 2015-08-08 at 08:02 +0800, big strong wrote: >> > I think I've stated clearly what I want to do. >> > >> Well... >> > >> > |I want to locate the hypercall page address when creating a new domU, >> > so as to locate hypercalls. >> > >> Ok. What for? >> >> Dario >> >> -- >> <<This happens because I choose it to happen!>> (Raistlin Majere) >> ----------------------------------------------------------------- >> Dario Faggioli, Ph.D, http://about.me/dario.faggioli >> Senior Software Engineer, Citrix Systems R&D Ltd., Cambridge (UK) >> > > > [-- Attachment #1.2: Type: text/html, Size: 3545 bytes --] [-- Attachment #2: Type: text/plain, Size: 126 bytes --] _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-08-14 3:13 UTC | newest] Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-08-06 9:46 how can I find hypercall page address? big strong 2015-08-06 9:49 ` Andrew Cooper 2015-08-07 1:45 ` big strong 2015-08-07 1:52 ` big strong 2015-08-07 13:06 ` Andrew Cooper 2015-08-08 0:02 ` big strong 2015-08-10 15:04 ` Dario Faggioli 2015-08-11 2:44 ` big strong 2015-08-11 9:21 ` Andrew Cooper 2015-08-14 3:13 ` big strong
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.