Shlomo Pongratz
Shlomo Pongratz
Just added a counters in the if statement "if event.direction == SyscallDirection.exit:" and in the corresponding "else:" statement. and print the balance.
Hi, From code reading of arch/x86/kvm/emulate.c::{em_syscall and em_sysret} I learn that in em_syscall event is marked present at the beginning of the routine regardless if the rutine returns before the...
But if you put the code at the beginning of the sysret than this is before set_segment is called. Maybe you should just mark the present at the end of...
So it seems that for some successful syscalls there are failed sysrets. I just wonder if we can trust the values stored in the registers if we record at the...
The trust should also go for the syscall.
This is odd, I wonder if the number of times em_syscall and em_sysret are the same. The OS must return to user before issuing a new system call so maybe...
Hi, I added printk to em_syscall and em_sysret and found out the the number of times em_syscall is called is greater then the number of times em_sysret is called. This...
Hi, Just found out that all missing SYSRET belong to calls to NtContinue! That is I see SYSCALL with syscall number that matches NtContinue without a return. Can someone explain...
Hi, Funny but the link took me to the web page of "GME mining equipment production base," I think there is another issue regarding the association of syscall and sysret....
Hi, I don't think you need to have different code for Linux and Windows guests as both pass the system call number in the RAX register and if you use...