* Guest memory access hooking
@ 2012-11-13 15:56 Cutter 409
0 siblings, 0 replies; only message in thread
From: Cutter 409 @ 2012-11-13 15:56 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1.1: Type: text/plain, Size: 791 bytes --]
Hello all,
I'm trying to do some research with malware, and I'm trying to get
notifications on arbitrary guest page accesses (similar to what Ether
does.) I've noticed the mem-event API and it seems like it might be close
to what I need, but I can't find much documentation about how it works or
how to use it.
I know that that mem-event API works only with EPT, but is the code to
change permissions modifying the guest page tables, or does it work via
EPT? (Can the guest detect it?) Is there any documentation about usage,
besides the xen-access.c test ?
I'm also interested monitoring arbitrary page access via the shadow page
tables. I've been reading through the code, but if anyone has any insight
or some kind of push in the right direction, I'd really appreciate it.
Thank you!
[-- Attachment #1.2: Type: text/html, Size: 855 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-11-13 15:56 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-13 15:56 Guest memory access hooking Cutter 409
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).