New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generic mem_event does not trigger #1044
Comments
Because the generic handler is just that, registers a generic handler that will be called when an EPT violation happens. To trigger the EPT violations you still need to restrict the particular gfn's permission you are interested in. For non-generic handlers this happens automatically. For generic you need to use vmi_set_mem_event after the generic handler is registered. |
Thank you for the swift answer! |
You set permissions on GFNs, which are guest-physical addresses. As long as the VM isn't getting hot-plugged memory it doesn't matter how the guest OS maps that memory into a process or process'. Currently you have to set it one-by-one using the LibVMI API. On Xen the underlying Xen API allows you to set multiple pages via |
Thank you for the suggestion and your advice! This sounds really interesting. I do not need to have the knowledge which GFN belongs to which process, because I can get the PID, when a memory event occurs through the CR3 register. However, I don't know how to get a list of the GFNs from LibVMI without knowing every process and querying their respective pagetables with vmi_get_va_pages. Additionally, I would have to check regularly whether new GFNs have been allocated, right? Also I am currently set on KVM. Sorry, that I have so many questions. I am pretty new to VMI. |
You can loop from 0 to max physical memory and try to set the permission. Otherwise you have to collect the memory map from the VM itself, there is no API for that in LibVMI. Usually it is displayed in the dmesg. See https://github.com/libvmi/libvmi/blob/master/notes/memory_map.txt |
Thank you again for your help! Unfortunately, it is too slow on KVM, that it halts the VM. I will try it with Xen later. |
Changing the permissions on all pages is going to be slow on Xen too. A little bit faster then doing it 1-by-1 but still slow. |
Oh, I see. I guess LibVMI is not the correct tool for my particular use-case. However, it was nice to play around with it and it helped me learn a lot about VMI in general. |
Hello everyone,
thanks to everyone for the great work!
I want to setup a callback which registers every memory access with its corresponding PID. For a first prototype I have modified the code in the mem-event-example.c
I have pasted the modified (hacked) script below.
I have modified the line
SETUP_MEM_EVENT(&mem_event, gfn, VMI_MEMACCESS_X, mem_cb, false);
to be
SETUP_MEM_EVENT(&mem_event, ~0UL, VMI_MEMACCESS_RWX, mem_cb, true);
However, the callback does not trigger in this scenario.
The unmodified version of this script works. I am using lib-kvmi and I used https://kvm-vmi.github.io/kvm-vmi/kvmi-v7/setup.html#option-1-vagrant-virtual-machine-based-setup to set it up.
Best
Thorsten
The text was updated successfully, but these errors were encountered: