process_event() will not necessarly return the right syscall

[aghamir]

Hi @Wenzel , Pushing syscall and poping it will not return the right one in all situations. Consider the situation where context switch occurs in the middle of handling one syscall. I think the previous version of process_event which calculates the name every time was better than this version.

[Wenzel]

That's true, i wanted to fix this for a while but I had more pressing matters to deal with.

At the beginning, I wanted to maintain a table of [CR3] -> [syscall_stack] to solve this I think, but you have syscalls that return from kernel mode with iret that we cannot catch. so some stack would only get bigger with time ...

At this point I started to work on the Bitdefender patches which will provide the next official VMI interface on KVM, should be easier to implement something on top of it. Please look at the kvmi branches :+1: