Skip to content

Instantly share code, notes, and snippets.

@cwshu

cwshu/libvmi.txt

Created September 27, 2017 07:46
Show Gist options
  • Save cwshu/7891ef842d11521e7e5d45e21426c14d to your computer and use it in GitHub Desktop.
Save cwshu/7891ef842d11521e7e5d45e21426c14d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
libvmi.txt
vmi_read()
=> [VMI_TM_KERNEL_SYMBOL] vmi_translate_ksym2v()
=> vmi_pagetable_lookup_cache()
// dtb = vmi->kpgd if pid == 0
// = vmi_pid_to_dtb(vmi, ctx->pid, &dtb) if pid > 0
=> vmi_read_page(vmi, pfn)
vmi_pagetable_lookup_cache()
=> vmi->arch_interface->v2p() // v2p_ia32e() in libvmi/arch/amd64.c
// v2p_ia32e()
// read and resolute page table. access physical memory by: vmi_read_64_pa()
vmi_read_page()
=> driver_read_page() => vmi->driver.read_page_ptr(vmi, page)
// kvm_read_page() in libvmi/driver/kvm/kvm.c
kvm_read_page() => memory_cache_insert() => create_new_entry() => vmi->get_data_callback()
// 3 kinds
// memory_cache_init(vmi, kvm_get_memory_shm_snapshot ...)
// memory_cache_init(vmi, kvm_get_memory_patch ... )
// memory_cache_init(vmi, kvm_get_memory_native ... )
kvm_get_memory_native() use QEMU QMP xp command: https://en.wikibooks.org/wiki/QEMU/Monitor#xp
kvm_get_memory_patch() connect socket: kvm_get_instance(vmi)->socket_fd and send request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment