drakvuf icon indicating copy to clipboard operation
drakvuf copied to clipboard
verified publisher icon tklengyel

descriptor trap goes infinite loop

Open archercreat opened this issue 4 years ago • 3 comments

Hello! I've just implemented descriptor hook (VMI_EVENT_DESCRIPTOR_ACCESS). Nothing special, just boilerplate code. But what I've noticed is that drakvuf does not skip instruction accessing descriptor and it loops forever. Any idea on how to fix this? In case of cpuid callback, drakvuf explicitly advances rip to the next instruction. https://github.com/tklengyel/drakvuf/blob/a073d6124d2063b7eb3854df2f359f317aaacb6d/src/libdrakvuf/vmi.c#L941 But it is not possible for descriptor_event_t since it does not contain instruction size.

archercreat avatar Jun 25 '21 08:06 archercreat

The instruction size comes from Xen. You have to check whether the hardware reports it and then you just need plumbing to pass that info down. Otherwisr you need to disassemble the instruction at rip and increment the size accordingly.

tklengyel avatar Jun 25 '21 11:06 tklengyel

Thank you Tamas, the first variant seems more reasonable. But I still don't understand why would we explicitly change rip in case of cpuid event, but not in debug, cr3 msr events. We also don't change rip in libvmi examples. https://github.com/libvmi/libvmi/blob/master/examples/descriptor-event-example.c

archercreat avatar Jun 25 '21 12:06 archercreat

It depends on the event type whether you need to manually increase RIP or not. It's implementation specific. If the libvmi example shows you don't need to increase the RIP manually then you wouldn't need to do that with DRAKVUF either. Unless of course if you observe the same behavior with the libvmi examples in which case its also buggy.

tklengyel avatar Jun 25 '21 13:06 tklengyel