Hi there, I'm currently working on my Masters Thesis about Physical Memory Tracing. That is: making systematically snapshots of a guest operation system in order to analyze certain things. In the attachment is a screenshot of the recorded snapshots for an arch linux boot procedure. >From left to right are the snapshots and from top to down is the guest physical address space. Just to give you an impression of what I am doing. In order to get changes to memory regions I remove the write flag from writable memory regions in EPT. Now, if anything is writing to this memory region, a #PF occurs. On this #PF I mark the memory region as dirty and set the write flag, so that future writes can be passed until the next snapshot was made. The point why I'd like to do this is: I can just write the changed memory regions per snapshot and don't need to write everything again and again to disk. My problem now is: How can I find the corresponding memory region of a faulting guest physical address? Is there some reverse mapping? Or do I need to traverse the whole EPT tree and look where this address is contained? Thanks in advance for any replies. Kind regards, Dominic Fischer Master student University of Applied Science, Bern ( ti.bfh.ch / sel.bfh.ch )
Attachment:
2013-03-08-131910_1920x1200_scrot.png
Description: PNG image
