VMI API

This section describes what can be done with a virtual machine introspection API

• Query and modify the VM hardware state
  • read/write VCPU registers
  • read/write physical memory
• Subscribe and listen to hardware events
  • mov to/from CR3/CR8
  • mov to/from DRx
  • mov to/from MSR
  • interrupts
  • singlestep (MTF)
  • hypercalls
  • descriptors
  • SLAT (Second Level Address Translation) events
    • r/w/x event on a page
    • dynamically switch to multiple memory views using alternate SLAT pointers
  • Intel Processor Trace packets

• Utilities
  • foreign mapping
  • pagefault injection

Xen

VMI APIs are available upstream since Xen 4.1

• Xen Wiki on Virtual Machine Introspection

• VMI APIs can be found in xenctrl.h

• Accessing the VM's hardware state

  • get number of VCPUs: ✅
  • get maximum gfn: ✅
  • pause/resume: ✅
  • r/w physical memory: ✅
  • r/w virtual memory: ✅
  • r/w VCPU registers: ✅

• Intercept VM's hardware events

  • control registers: ✅
  • extended control registers: ✅
  • debug registers: ✅
  • MSR: ✅
  • singlesteps: ✅
  • interrupts: ✅
  • descriptors: ✅
  • hypercalls: ✅
  • CPUID: ✅
  • memory: ✅
  • alternate SLAT: ✅

• Utilities:

  • foreign mapping: ✅
  • exception injection: ✅

KVM

VMI APIs are currently being developed by BitDefender, and in review on the mailing list.

• KVM-VMI project

• libkvmi.h

• kvmi.h

• Accessing the VM's hardware state

  • get number of VCPUs: ✅
  • get maximum gfn: ❌
  • pause/resume: ✅
  • r/w physical memory: ✅
  • r/w virtual memory: ❌
  • r/w VCPU registers: ✅

• Intercept VM's hardware events

  • control registers: ✅
  • extended control registers: ❌
  • debug registers: ✅
  • MSR: ✅
  • singlesteps: ❌
  • interrupts: ✅
  • descriptors: ✅
  • hypercalls: ✅
  • CPUID: ❌
  • memory: ✅
  • alternate SLAT: ❌

• Utilities:

  • foreign mapping: ✅
  • exception injection: ✅

Note:

• SLAT: Second Level Address Translation