From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: Scan guests' page to seek specific instructions
Date: Tue, 27 Oct 2015 13:50:52 +0000
Message-ID: <562F813C.6030205@citrix.com>
References: <467E28D4-0618-4E87-A2E2-98D81003BDA7@qiwen.name>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <467E28D4-0618-4E87-A2E2-98D81003BDA7@qiwen.name>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Wen QI <qiwen@qiwen.name>, xen-devel@lists.xen.org
List-Id: xen-devel@lists.xenproject.org

On 26/10/15 22:34, Wen QI wrote:
> Hi,
>
> I am trying to scan guests' pages and check whether they contain specific instructions (e.g., LOCK). I summarize how I did it as follows. Could you please give some suggestions about whether am I on the right direction? Thank you.
>
> In my testing environment, XEN 4.4.0 is deployed. Both Domain-0 and guests are using Ubuntu 14.4 64-bit. The guests are in HVM mode.
>
> 1. In the page fault handler sh_page_fault(), we first judge #PF (regs->error_code), if it contains PFEC_insn_fetch && PFEC_user_mode, then continue to next step.
>
> 2. The virtual address (va, which is from CR3) is converted to MFN.
>
> 3. If the MFN is valid, we get the page address via mfn_to_virt().
>
> 4. Then scan the page's data to check whether specific instructions exist in the page.
>
> To simplify the testing, I temporarily disabled all shadow optimizations by setting SHADOW_OPTIMIZATIONS as 0x0F.
>
> My observations are as follows:
> - In step 2, some virtual addresses can be converted to valid MFN, some cannot.

Why would you expect them all to be valid?  This is how demand paging of
library code typically works.

>
> - In the HVM guest, I run a piece of C code which contains the LOCK instructions. However, in step 4, the instructions cannot be detected.

Why do you expect to ever trap regular usermode execution on a user page?

If you want to do VM Introspection, start with a tool such as libVMI
rather than attempting to implement it from first principles in the
shadow paging code.

~Andrew