RIP does not advance in mem-event-example
59 views
Skip to first unread message
hinoue
Mar 23, 2021, 9:29:48 AM3/23/21
to vmitools
I am trying to learn how to monitor user-space applications within a HVM VM
using memory events. The mem-event-example appears initially to work,
but I never see the RIP advance, and the VM itself appears to be frozen until
the example exits. Example output is at the bottom of this message.
the example exits. Example output is at the bottom of this message.
My expectation is that the VM would be slow, but that the instruction pointer
should advance one instruction per event. Why is this not the case?
should advance one instruction per event. Why is this not the case?
Thanks,
-Jim
Hajime (Jim) Inoue
Senior Scientist
GrammaTech, Inc.
LibVMI init succeeded!
Setting X memory event at RIP 0xffffffff9d97e57e, GPA 0x101d7e57e, GFN 0x101d7e
Waiting for events...
mem_cb: at 0xffffffff9d97edb0, on frame 0x101d7e, permissions: __X
mem_cb: at 0xffffffff9d97edb0, on frame 0x101d7e, permissions: __X
mem_cb: at 0xffffffff9d97edb0, on frame 0x101d7e, permissions: __X
mem_cb: at 0xffffffff9d97edb0, on frame 0x101d7e, permissions: __X
...
```
xl info gives me:
```
host : nuc
release : 5.8.0-45-generic
version : #51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021
machine : x86_64
nr_cpus : 1
max_cpu_id : 0
nr_nodes : 1
cores_per_socket : 1
threads_per_core : 1
cpu_mhz : 3000.025
hw_caps : bfebfbff:77faf3bf:2c100800:00000121:0000000f:009c67af:00000000:00000100
virt_caps : hvm hvm_directio
total_memory : 16249
free_memory : 10
sharing_freed_memory : 0
sharing_used_memory : 0
outstanding_claims : 0
free_cpus : 0
xen_major : 4
xen_minor : 11
xen_extra : .4-pre
xen_version : 4.11.4-pre
xen_caps : xen-3.0-x86_64 xen-3.0-x86_32p hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64
xen_scheduler : credit
xen_pagesize : 4096
platform_params : virt_start=0xffff800000000000
xen_changeset :
xen_commandline : placeholder no-real-mode edd=off
cc_compiler : gcc (Ubuntu 9.2.1-31ubuntu3) 9.2.1 20200306
cc_compile_by : ubuntu-devel-di
cc_compile_domain : lists.ubuntu.com
cc_compile_date : Tue Mar 10 09:04:06 UTC 2020
build_id : 70edf50fce444a706eb5c69735c35c1838e4eaee
xend_config_format : 4
```
Tamas K Lengyel
Mar 23, 2021, 9:36:19 AM3/23/21
to vmit...@googlegroups.com
The instruction pointer can't advance while the page access is
restricted. You need to lift the page permission so the CPU can fetch
the instruction and continue. If you don't, it will constantly fault
as you observed. You would normally enable singlestepping in the mem
event callback, lift page permissions, then in the singlestep callback
put the mem event back.
> --
> You received this message because you are subscribed to the Google Groups "vmitools" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vmitools/0faffd33-74dc-4573-97db-2c7bcc23bb87n%40googlegroups.com.
restricted. You need to lift the page permission so the CPU can fetch
the instruction and continue. If you don't, it will constantly fault
as you observed. You would normally enable singlestepping in the mem
event callback, lift page permissions, then in the singlestep callback
put the mem event back.
> You received this message because you are subscribed to the Google Groups "vmitools" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/vmitools/0faffd33-74dc-4573-97db-2c7bcc23bb87n%40googlegroups.com.
hinoue
Mar 25, 2021, 11:03:46 AM3/25/21
to vmitools
Thanks!
This makes sense, and I can see this from some of the other examples.
-Jim
Reply all
Reply to author
Forward
0 new messages