|
| From: | Paolo Bonzini |
| Subject: | Re: [Qemu-devel] different IDTs of the same VCPU |
| Date: | Mon, 17 Mar 2014 13:20:00 +0100 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 |
Il 17/03/2014 12:54, Alexander Binun ha scritto:
Dear friends, great thanks! To summarize: we are trying to monitor VCPU IDT changes that are done by external parties (e.g. rootkits) and not by intra-KVM machinery. Are there parameters that witness such changes ?
There is no way to intercept changes to the interrupt descriptor table. You can:* look at the IDTR values on every vmexit, including before injecting an interrupt, but that won't protect from hijacking software interrupts such as int $0x80;
* protect the IDT from writing using KVM's page table mechanisms, but that won't catch the case when the IDT is changed to a whole new page.
Paolo
| [Prev in Thread] | Current Thread | [Next in Thread] |