Hi, We are working on a project where we need to explore the virtual machine introspection technique in a nested environment. More specifically, we want to know if from L0, we can reconstruct the process list of L2. And to begin with, we just want to explore a relatively simple case, i.e., only one virtual machine at L1, and only one virtual machine at L2. Several studies have shown that from L0, people can reconstruct the process list of L1. For example, in the context of Qemu/KVM, the process linked list of L1 basically is existing in the L1's kernel space. And in Qemu, the function cpu_memory_rw_debug() allows us to access the virtual memory of L1. With the help of this function, we will be able to scan L1's kernel space thus reconstruct the process linked list. Now considering there is L2, can we still use cpu_memory_rw_debug() to scan somewhere and find out L2's process linked list? We have tried, but it doesn't work. Any hints on this? Like where exactly shall we search? We have been stuck in here for quite a while, any suggestions would be truly appreciated. Thanks! -Jidong
