On 01/12/2015 19:30, Yacine HEBBAL wrote: > Hi all, > I'm trying to build some tools on top of kvm in order to debug, monitor and > reverse engineer the guest OS (ubuntu 12.04, 32 bits) > One of my tools walks through (and prints) the guest paging data structures > as following: cr3 -> pdpte -> pde -> pte -> page (PAE paging, 32 bits) > > According to my logs some accessed kernel PTEs are not present (pte = > 9090909090909090) in all processes address spaces (even from init process > cr3), however when I use the function kvm_read_guest_virt_helper on their > corresponding virtual addresses (GVAs), I get a correct content (content > correctness checked using system.map file). > Just after calling kvm_read_guest_virt_helper, I check again the PTE > corresponding to the read gva, I see that they are unmapped (invalid, always > 9090909090909090) > > I investigated a little the code of kvm_read_guest_virt_helper, this > function calls vcpu->arch.walk_mmu->gva_to_gpa(vcpu, gva, ...) which in turn > calls other functions until FNAME(walk_addr_generic) which seems to do the > translation. > walk_addr_generic seems to do the translation starting from cr3 of the > current process (in line: mmu->get_cr3(vcpu);) and works fine regardless of > the identity of the current process (i.e. current cr3). > > So how the function gva_to_gpa is able to the read correctly any GVA that my > tool sees invalid (unmapped) in the paging structures, knowing that my tool > is able to read and display correctly a content of (thousands) many other GVAs ? > I would be very thankful for any feedback :) Unfortunately that's impossible to know without knowing your tool. How does it read guest memory? Paolo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
