-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to trigger INT3 events repeatedly #31
Comments
Hi @wangbaba523, Usually you have 2 solutions to implement a breakpoint based on
Can you share an example so we can investigate ?
yes because
you can use recoiling, with a combination of interrupt and singlestep events. Your only way to hook an API at the moment is to rely on pagefaults. |
@Wenzel,Thank you for your reply.
event_response_t int3_cb(vmi_instance_t vmi, vmi_event_t *event)
{
if (VMI_FAILURE == vmi_write_8_pa(vmi, paddr, &orig_data )) {
fprintf(stderr, "Failed to write breakpoint\n");
goto error_exit;
}
return 1;
} main()
{
uint8_t orig_data = 0;
if (VMI_FAILURE == vmi_read_8_pa(vmi, paddr, &orig_data )) {
fprintf(stderr, "Failed to read breakpoint\n");
goto error_exit;
}
uint8_t bp = 0xCC;
if (VMI_FAILURE == vmi_write_8_pa(vmi, paddr, &bp)) {
fprintf(stderr, "Failed to write breakpoint\n");
goto error_exit;
}
printf("Symbol: %s, vaddr: %lx, paddr: %lx, opcode: 0x%"PRIx64"\n",
data.symbol, vaddr, paddr, *(uint64_t*)data.emul.data);
/* Register event to track INT3 interrupts */
SETUP_INTERRUPT_EVENT(&interrupt_event, int3_cb);
interrupt_event.data = &data;
}
|
Please check this breakpoint recoil i wrote on this experimental branch kvmi_v7 This branch also implements singlestep events |
@Wenzel ,Um.yes could you tell me which version of KVM are you using,is that kvmi-v7? And when vm -exit occurs due to int3, it is executed "handle_execption_nmi->case BP_VECTOR", when vm -exit occurs due to single_step, it is executed "handle_monitor_trap"? |
yes: https://github.com/KVM-VMI/kvm/tree/kvmi-v7
I don't know the internals of KVM introspection subsystem, as I'm mostly dealing with libvmi integration. |
correct |
@Wenzel @adlazar ,Thank you for your reply,I haven't installed the environment test yet, but looking at the code, I find that:
|
I successfully used in3 bp (in interrupt_event_example. c) in KVM environment,However In in3_cb function it will modified interrupt instruction to changed to the original instruction, it is not guaranteed to trigger next time.And I found that using emulate instead of change to original instruction can realize repeated triggering, But breakpoint-emulate-example.c is xen only,So how to realization on kvm?Thanks.
The text was updated successfully, but these errors were encountered: