Wenzel · May 29, 2018 10:10
diff --git a/bug_resume.c b/bug_resume.c

 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include <sys/mman.h>
 #include <stdio.h>
 #include <inttypes.h>
 #include <signal.h>
 #include <unistd.h>

 #include <libvmi/libvmi.h>
 #include <libvmi/events.h>

 static int interrupted = 0;

 event_response_t cb(vmi_instance_t vmi, vmi_event_t *event)
 {
    printf("Intercepted REG event\n");

    int *nb = (int*)event->data;

    *nb += 1;

    if (*nb == 3)
    {
        if ( VMI_FAILURE == vmi_pause_vm(vmi) )
        {
            printf("fail to pause vm\n");
        }
        interrupted = 1;
    }

    return VMI_EVENT_RESPONSE_NONE;
 }


 int main (int argc, char **argv)
 {
    vmi_instance_t vmi = NULL;
    status_t status = VMI_SUCCESS;

    if (argc < 2) {
        fprintf(stderr, "Usage: xen-emulate-response <name of VM>\n");
        return 1;
    }

    addr_t addr;

    char *name = NULL;

    // Arg 1 is the VM name.
    name = argv[1];

    // Initialize the libvmi library.
    if (VMI_FAILURE ==
            vmi_init_complete(&vmi, (void*)name, VMI_INIT_DOMAINNAME | VMI_INIT_EVENTS,
                              NULL, VMI_CONFIG_GLOBAL_FILE_ENTRY, NULL, NULL)) {
        printf("Failed to init LibVMI library.\n");
        return 1;
    }

    printf("LibVMI init succeeded!\n");

    vmi_event_t event;
    memset(&event, 0, sizeof(vmi_event_t));

    SETUP_REG_EVENT(&event, CR3, VMI_REGACCESS_W, 0, cb);
    int nb = 0;
    event.data = &nb;


    if ( VMI_FAILURE == vmi_register_event(vmi, &event) )
        goto leave;

    while (!interrupted) {
        printf("Waiting for events...\n");
        status = vmi_events_listen(vmi,500);
        if (status != VMI_SUCCESS) {
            printf("Error waiting for events, quitting...\n");
            interrupted = -1;
        }
    }
    printf("Finished listening to events.\n");
    printf("process all remaining events\n");
    if ( VMI_FAILURE == vmi_events_listen(vmi, 0) )
        goto leave;

    printf("clear reg event, this will disable monitoring of MOV-TO-CR3 events\n");
    if ( VMI_FAILURE == vmi_clear_event(vmi, &event, NULL) )
        goto leave;

    int sleep_time = 30;
    printf("sleep for %d sec\n", sleep_time);
    sleep(sleep_time);

    printf("resume VM\n");
    if ( VMI_FAILURE == vmi_resume_vm(vmi) )
        goto leave;

 leave:
    // cleanup any memory associated with the libvmi instance
    printf("destroy VMI instance (%d events pending)\n", vmi_are_events_pending(vmi));
    vmi_destroy(vmi);

    return 0;
 }

	#include <stdlib.h>
	#include <string.h>
	#include <errno.h>
	#include <sys/mman.h>
	#include <stdio.h>
	#include <inttypes.h>
	#include <signal.h>
	#include <unistd.h>

	#include <libvmi/libvmi.h>
	#include <libvmi/events.h>

	static int interrupted = 0;

	event_response_t cb(vmi_instance_t vmi, vmi_event_t *event)
	{
	printf("Intercepted REG event\n");

	int nb = (int)event->data;

	*nb += 1;

	if (*nb == 3)
	{
	if ( VMI_FAILURE == vmi_pause_vm(vmi) )
	{
	printf("fail to pause vm\n");
	}
	interrupted = 1;
	}

	return VMI_EVENT_RESPONSE_NONE;
	}


	int main (int argc, char **argv)
	{
	vmi_instance_t vmi = NULL;
	status_t status = VMI_SUCCESS;

	if (argc < 2) {
	fprintf(stderr, "Usage: xen-emulate-response <name of VM>\n");
	return 1;
	}

	addr_t addr;

	char *name = NULL;

	// Arg 1 is the VM name.
	name = argv[1];

	// Initialize the libvmi library.
	if (VMI_FAILURE ==
	vmi_init_complete(&vmi, (void*)name, VMI_INIT_DOMAINNAME \| VMI_INIT_EVENTS,
	NULL, VMI_CONFIG_GLOBAL_FILE_ENTRY, NULL, NULL)) {
	printf("Failed to init LibVMI library.\n");
	return 1;
	}

	printf("LibVMI init succeeded!\n");

	vmi_event_t event;
	memset(&event, 0, sizeof(vmi_event_t));

	SETUP_REG_EVENT(&event, CR3, VMI_REGACCESS_W, 0, cb);
	int nb = 0;
	event.data = &nb;


	if ( VMI_FAILURE == vmi_register_event(vmi, &event) )
	goto leave;

	while (!interrupted) {
	printf("Waiting for events...\n");
	status = vmi_events_listen(vmi,500);
	if (status != VMI_SUCCESS) {
	printf("Error waiting for events, quitting...\n");
	interrupted = -1;
	}
	}
	printf("Finished listening to events.\n");
	printf("process all remaining events\n");
	if ( VMI_FAILURE == vmi_events_listen(vmi, 0) )
	goto leave;

	printf("clear reg event, this will disable monitoring of MOV-TO-CR3 events\n");
	if ( VMI_FAILURE == vmi_clear_event(vmi, &event, NULL) )
	goto leave;

	int sleep_time = 30;
	printf("sleep for %d sec\n", sleep_time);
	sleep(sleep_time);

	printf("resume VM\n");
	if ( VMI_FAILURE == vmi_resume_vm(vmi) )
	goto leave;

	leave:
	// cleanup any memory associated with the libvmi instance
	printf("destroy VMI instance (%d events pending)\n", vmi_are_events_pending(vmi));
	vmi_destroy(vmi);

	return 0;
	}