Memory write events where memory is written by backend of a splitted driver
12 views
Skip to first unread message
Jan H.
Jan 21, 2020, 9:09:34 AM1/21/20
to vmitools
Hi,
I am using an event to detect writes to a memory page. This
works fine if the writes are coming from the guest that I am
inspecting. However, if the writes to the page are coming
from a backend of a splitted driver then the write is not
detected. How could I fix this? Preferably, I do not want
to change the frontend of the splitted driver. So can this
somehow be done in the backend or in Xen?
Thanks!
I am using an event to detect writes to a memory page. This
works fine if the writes are coming from the guest that I am
inspecting. However, if the writes to the page are coming
from a backend of a splitted driver then the write is not
detected. How could I fix this? Preferably, I do not want
to change the frontend of the splitted driver. So can this
somehow be done in the backend or in Xen?
Thanks!
Tamas K Lengyel
Jan 21, 2020, 9:15:02 AM1/21/20
to vmit...@googlegroups.com
Since the backend doesn't map memory via EPT it won't trigger the EPT based monitor. This is expected. Same applies to to the emulator that's in Xen or LibVMI itself. If you need to catch those writes as well you would have to modify the backend driver to alert you before it writes to the target memory. Sounds like a lot of work. Perhaps if you use PVH stubdomains it is easier because you can use the EPT based monitoring on that too.
--
You received this message because you are subscribed to the Google Groups "vmitools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vmitools+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vmitools/601033ab-7e9a-4690-822b-b022214cb345%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages