Log in

View Full Version : Some thing about Virtual Machine


vodu
June 20th, 2006, 13:38
I have a page beside a thread inside a process in Windows system which I attend to cut its hand from other pages. It is an executable page, I want when it reads/writes from/into other virtual memory pages, an exception rising. I can not make guard protection on all available pages on process. Do you have any idea about isolating this page from other pages?

Kayaker
June 20th, 2006, 22:59
Hi

Tricky question. I'll say something at least just to get a discussion going. You might be able to set the page to non-executable or non-present which would raise a page fault exception which you could handle. See the PaX implementation for more on this.

Like PAGE_GUARD though this seems like it would be a one-shot deal. Sure you could be notified when your page is forced to (re)load into memory, but what could you effectively do then other than preventing execution entirely? If the code contained in that page needs to run so the app doesn't crash, and the memory read/writes to *other* pages that you are trying to intercept occurs later in that page, you haven't really done much.

Can you describe more what you are trying to accomplish? As a stab in the dark I might guess you want to detect when a packer section writes or reads to another executable (or data) section and/or vice versa.

Kayaker

LLXX
June 20th, 2006, 23:21
OP looks like it was Babelfished.

I still don't understand why you can't set it as a guard page.

vodu
June 21st, 2006, 16:51
I should mention some notes regarding to virtual machine monitor, it is not completely a emulator, it executes code in control mode, when it detect a privilege instruction, it emulated the code otherwise it run code in controlled thread. By this aspect, I plan to make a simple virtual machine; I can detect the privilege code by EXCEPTION_PRIV_INSTRUCTION but I do not know how detect the following code:

MOV [XXX], XXX

I need to detect it in order to redirect to a Virtual RAM.

disavowed
June 21st, 2006, 23:51
You can detect MOV [XXX], XXX with guard pages. You can use SEH or VEH inside the target or you can use a debugger process to monitor the target process instead.

vodu
June 22nd, 2006, 03:24
Quote:
[Originally Posted by disavowed]You can detect MOV [XXX], XXX with guard pages. You can use SEH or VEH inside the target or you can use a debugger process to monitor the target process instead.


When I set a GUARD PAGE Protection on all available pages of process how code of parent thread is going to be run. I want when the MOV [XXX],XXX, the code of physical memory run an exception rising and it helps to execute code by Emulator. Do you think another point has been applied in VMWare or Virtua PC. About privileged exception, I am sure because you can detect VMWare by exception of IN or OUT instructions. Are there really Memory guard the note which has employed in those native code virtual machine?

disavowed
June 22nd, 2006, 22:23
Your real code should be in one set of memory pages. Your VM code should be in another set of memory pages. Set page-guards on the latter. Problem solved. (And if this isn't a valid solution then you need to do a better job explaining the problem.)

vodu
June 23rd, 2006, 03:09
I want just give some info about the job which I plan to do. This link might be useful.

http://www.floobydust.com/virtualization/lawton_1999.txt

vodu
June 23rd, 2006, 03:15
This is the important note:

Quote:

Following is the list, as mentioned. A 'Y' in the 2nd column,
means that when run at ring3, the IA32 processor naturally
generates a protection exception, thus giving our virtual
monitor code the chance to do something smart in the context
of this virtualization environment. A 'N' means we
can't make the processor give us the chance, so we need
to figure out how to handle this otherwise. A '*' denotes some
special commentary is necessary, and follows after the list.



TABLE 1
-------

protected in ring3

clts Y
hlt Y
in * (IOPL and TSS permission map)
ins * (IOPL and TSS permission map)
out * (IOPL and TSS permission map)
outs * (IOPL and TSS permission map)
lgdt Y
lidt Y
lldt Y
lmsw Y
ltr Y
mov r32, CRx Y
mov CRx, r32 Y
mov r32, DRx Y
mov DRx, r32 Y
mov r32, TRx Y
mov TRx, r32 Y

popf *
pushf *

cli Y (IOPL)
sti Y (IOPL)

sgdt N
sidt N
sldt N
smsw N
str N

verr N
verw N
lar N
lsl N

lds/les/lfs/lgs/lss *
mov r/m, Sreg *
mov Sreg, r/m *
push Sreg *
pop Sreg *

sysenter *
sysexit Y


Also of relevance to this topic, are instructions which
effect a control transfer or interrupt. The importance
of these instructions will become more evident later,
so for now I'll just list them:


TABLE 2
-------

call *
ret *
enter *
leave *
jcc *
jmp *
int/into/bound *
iret *
loop *
loope/z *
loopne/nz *
wait *



We can handle the instructions which have native protection ('Y')
while running at user-level, by an exception handler which
emulates the instruction in our virtualization context. This
is exactly what a v8086 mode monitor does. Fortunately, emulation
of nearly all x86 instructions is done in bochs already, so
there's not much ground to break here.

That leaves the set of instructions with a 'N' or '*' in column 2.
Following, I outline special considerations about each of these
instructions.

vodu
June 23rd, 2006, 03:31
http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6,397,242.PN.&OS=PN/6,397,242&RS=PN/6,397,242

Quote:

In a computer that has hardware processor, and a memory, the invention provides a virtual machine monitor (VMM) and a virtual machine (VM) that has at least one virtual processor and is operatively connected to the VMM for running a sequence of VM instructions, which are either directly executable or non-directly executable. The VMM includes both a binary translation sub-system and a direct execution sub-system, as well as a sub-system that determines if VM instructions must be executed using binary translation, or if they can be executed using direct execution. Shadow descriptor tables in the VMM, corresponding to VM descriptor tables, segment tracking and memory tracing are used as factors in the decision of which execution mode to activate. The invention is particularly well-adapted for virtualizing computers in which the hardware processor has an Intel x86 architecture.

Maximus
June 23rd, 2006, 06:05
Just remember p4 can be set to break on conditionals, it can save you many problems and give a big speedup.