Hi,
We had some issues with the function vmi_dtb_to_pid and tracing userspace Linux applications.
What we need to do is to find the PID whenever a userspace breakpoint is reached.
However, on systems with meltdown patches the vmi_dtb_to_pid function does not work when we just use the content of the CR3 register for the translation.
As a possible fix I implemented the following solution:
vmi_get_vcpureg(vmi, &dtb, CR3, 0);
dtb &= ~0x1fff;
vmi_dtb_to_pid(vmi,dtb,&pid);
It sets the PCID (lowest 12 bits of the CR3 registers) [1] of the CR3 register to zero to get the kernel space page table of the process.
I am setting currently 13 bits to zero and I am not really sure if this is correct but it works for me so far.
Should this maybe be included in the vmi_dtb_to_pid function?
Cheers,
Benjamin