From: Rob Landley <rob@landley.net>
To: qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] How to get guestOS's information
Date: Thu, 26 Oct 2006 12:21:00 -0400 [thread overview]
Message-ID: <200610261221.00594.rob@landley.net> (raw)
In-Reply-To: <001501c6f8cf$b2659bc0$37cb1585@s5pc49>
On Thursday 26 October 2006 3:23 am, KazuyaMatsunaga wrote:
> Hello,
>
> It is impolite to write an unexpected letter.
Compared to the mountains of spam I get every day? Not really. :)
> I am a college student in
> Japan. I belong to information processing system laboratory, and I work on
> intrusion detection system. We are developing intrusion detection system
> using system calls. Now, it operates only on Linux. I would like to operate
> it in more platforms. I think it is possible to found guest OS’s
> abnormality by observing it from the hostOS. I would be extremely happy if
> it could be operated on the Qemu. Do you think that it is possible? Now, my
> system uses only processID and frequency of system calls. In a word, I would
> like to know how to get gestOS’s information (processID and frequency of
> system calls).
If your guest os is using sysenter you could hook that and see how often it's
getting called. Or perhaps intercept interrupt 80.
That's about the end of my useful suggestions, though. Unfortunately
ProcessID is an abstraction that QEMU doesn't know anything about (it's
translating machine language instructions and emulating hardware; what it's
_doing_ is another matter). Trying to get QEMU to do it is a bit like trying
to add hardware to your system to determine which user accounts are accessing
your hard drive. Your PCI bus doesn't know what a user account is: it's at
the wrong level and that information just isn't present there.
You'd have to modify the OS you're running to collect that info, unless you
can figure out execatly where in memory it's stored and add some kind of
trace to monitor that memory location. (And that location could easily
change each time you reboot the system.)
I'm guessing you modified Linux to collect this information. To get Windows
or Solaris to do it, you'd have to modify those OSes too.
Rob
--
"Perfection is reached, not when there is no longer anything to add, but
when there is no longer anything to take away." - Antoine de Saint-Exupery
next prev parent reply other threads:[~2006-10-26 16:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-26 7:23 [Qemu-devel] How to get guestOS's information KazuyaMatsunaga
2006-10-26 16:21 ` Rob Landley [this message]
2006-10-26 17:53 ` andrzej zaborowski
2006-10-26 18:06 ` andrzej zaborowski
2006-10-26 22:00 ` maestro
2006-10-26 22:08 ` Jamie Lokier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200610261221.00594.rob@landley.net \
--to=rob@landley.net \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).