On 02/08/2017 15:32, Mihai Donțu wrote: > We have currently identified three cases: > > * initial hooking of a guest What triggers the initial hooking, and how is it done? > * periodically checking the integrity of data that is not properly > placed into a page and thus cannot be efficiently tracked via SPT This only needs read memory (and it's okay for it to race against DMA because it's periodic). > * injecting processes This also doesn't need pause. IIRC you put a breakpoint somewhere, or make a page non-executable, to ensure the guest doesn't get in the way. DMA can still get in the way, but that can happen anyway right after process injection so it's not an issue. Have you thought about monitoring hardware registers, for example in order to check that IOMMU page tables protect from overwriting the kernel? Paolo
