Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to trigger INT3 events repeatedly #31

Open
wangbaba523 opened this issue Jun 26, 2020 · 7 comments
Open

How to trigger INT3 events repeatedly #31

wangbaba523 opened this issue Jun 26, 2020 · 7 comments

Comments

@wangbaba523
Copy link

I successfully used in3 bp (in interrupt_event_example. c) in KVM environment,However In in3_cb function it will modified interrupt instruction to changed to the original instruction, it is not guaranteed to trigger next time.And I found that using emulate instead of change to original instruction can realize repeated triggering, But breakpoint-emulate-example.c is xen only,So how to realization on kvm?Thanks.
@Wenzel
Copy link
Member

Wenzel commented Jun 27, 2020

Hi @wangbaba523,

Usually you have 2 solutions to implement a breakpoint based on int3

  • emulate the instruction
  • recoiling

And I found that using emulate instead of change to original instruction can realize repeated triggering

Can you share an example so we can investigate ?

But breakpoint-emulate-example.c is xen only

yes because SET_EMUL_INSN is only available for memory access events on KVM at this point.

So how to realization on kvm?

you can use recoiling, with a combination of interrupt and singlestep events.
The singlestep events are not yet implemented for KVM, so you have to wait a bit to try this solution.

Your only way to hook an API at the moment is to rely on pagefaults.
cc @mdontu, @adlazar

@wangbaba523
Copy link
Author

wangbaba523 commented Jun 27, 2020
edited by Wenzel
Loading

@Wenzel,Thank you for your reply.

  1. example is Assume paddr is the API NtOpenFile call address then
event_response_t int3_cb(vmi_instance_t vmi, vmi_event_t *event)
{
    
   if (VMI_FAILURE == vmi_write_8_pa(vmi, paddr, &orig_data )) {
        fprintf(stderr, "Failed to write breakpoint\n");
        goto error_exit;
    }
   
   return 1;
   
}
main()
{
  uint8_t orig_data = 0;  
 if (VMI_FAILURE == vmi_read_8_pa(vmi, paddr, &orig_data )) {
        fprintf(stderr, "Failed to read breakpoint\n");
        goto error_exit;
    }

uint8_t bp = 0xCC;
    if (VMI_FAILURE == vmi_write_8_pa(vmi, paddr, &bp)) {
        fprintf(stderr, "Failed to write breakpoint\n");
        goto error_exit;
    }
    printf("Symbol: %s, vaddr: %lx, paddr: %lx, opcode: 0x%"PRIx64"\n",
           data.symbol, vaddr, paddr, *(uint64_t*)data.emul.data);
    /* Register event to track INT3 interrupts */
    SETUP_INTERRUPT_EVENT(&interrupt_event, int3_cb);
    interrupt_event.data = &data;
}
  1. could you tell me more details about recoiling? I have combination of int3 bp and singlestep events for KVM, but there
    are some bug,So I turned to the way of emulation. You can give me a email, I will send my patch of code to you.
    3.Yes, I think hook an API rely on pagefaults will serious loss of efficiency,could you share an example about it?
    Thanks again!

@Wenzel
Copy link
Member

Wenzel commented Jun 29, 2020

Please check this breakpoint recoil i wrote on this experimental branch kvmi_v7
https://www.github.com/mtarral/libvmi/tree/kvmi_v7/examples%2Fbreakpoint-recoil-example.c

This branch also implements singlestep events

@wangbaba523
Copy link
Author

@Wenzel ,Um.yes could you tell me which version of KVM are you using,is that kvmi-v7? And when vm -exit occurs due to int3, it is executed "handle_execption_nmi->case BP_VECTOR", when vm -exit occurs due to single_step, it is executed "handle_monitor_trap"?

@Wenzel
Copy link
Member

Wenzel commented Jun 30, 2020

Um.yes could you tell me which version of KVM are you using,is that kvmi-v7?

yes: https://github.com/KVM-VMI/kvm/tree/kvmi-v7

And when vm -exit occurs due to int3, it is executed "handle_execption_nmi->case BP_VECTOR", when vm -exit occurs due to single_step, it is executed "handle_monitor_trap"?

I don't know the internals of KVM introspection subsystem, as I'm mostly dealing with libvmi integration.

@adlazar
Copy link

adlazar commented Jun 30, 2020

And when vm -exit occurs due to int3, it is executed "handle_execption_nmi->case BP_VECTOR", when vm -exit occurs due to single_step, it is executed "handle_monitor_trap"?

correct

@wangbaba523
Copy link
Author

@Wenzel @adlazar ,Thank you for your reply,I haven't installed the environment test yet, but looking at the code, I find that:

  1. when int3 occurs, it calls back to "breakpoint_cb": In this case, the original opcode will be written back, and enable the vcpu singlestep.

  2. Then the VM will return to the guest mode and re execute this instruction, but this will be triggered to singlestep callback("single_step_cb"),In this case, disable vcpu singlestep , and write 0xcc to va( replace the original opcode).
    I think this instruction cannot be executed and always switches between 1 and 2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Wenzel @adlazar @wangbaba523