xen-devel

[Top] [All Lists]

Re: [Xen-devel] Logging Access to HDD

from [Michal Novotny]

[Permanent Link][Original]

To:	Heiko Wundram <modelnine@xxxxxxxxxxxxx>
Subject:	Re: [Xen-devel] Logging Access to HDD
From:	Michal Novotny <minovotn@xxxxxxxxxx>
Date:	Tue, 19 Apr 2011 12:08:06 +0200
Cc:	xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Tue, 19 Apr 2011 03:08:42 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<4DAD5D9C.1020105@xxxxxxxxxxxxx>
List-help:	<mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id:	Xen developer discussion <xen-devel.lists.xensource.com>
List-post:	<mailto:xen-devel@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References:	<4DAD5296.70204@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <AEC6C66638C05B468B556EA548C1A77D01CC8B2B@trantor> <4DAD5968.1030408@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <4DAD5D9C.1020105@xxxxxxxxxxxxx>
Sender:	xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent:	Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.12) Gecko/20101103 Fedora/1.0-0.33.b2pre.fc14 Lightning/1.0b2 Thunderbird/3.1.6

On 04/19/2011 12:02 PM, Heiko Wundram wrote:
> Am 19.04.2011 11:44, schrieb Sebastian Biedermann:
>> I dont need to log every single byte, it would be enough to know which
>> file is accessed by the domU inside its image.
>> So when I use HVM I need to modify qemu and not the xen source?
> Won't work: the outer layer only sees block accesses, and not "actual"
> file accesses, so you're only able to log (if patching qemu) which
> blocks of the virtualized hard disk of your Windows system are accessed.
> You'd need to correlate this to additional data that's stored on the
> disk itself to find out which file a block that's accessed by the system
> belongs to.
>
> Doing this kind of correlation from the outside is hard, and it should
> be much easier to plug a device driver into Windows itself which
> intercepts the filesystem calls in NTFS.sys (which implements the VFS
> for NTFS accesses under windows) to retrieve the accessed files from the
> system itself (namely at the layer which knows about the filesystem
> structure of an NTFS filesystem, which qemu as hardware virtualizer does
> not).
>

That's right. I remember some time ago I've been using API hooking
techniques to do similar stuff so if you implement an API hook directly
to Windows you can achieve the job of file changes. More over, I think
Windows is having some iNotify-like API as well - something like
FindFirstChange() or similar...

Michal

-- 
Michal Novotny <minovotn@xxxxxxxxxx>, RHCE
Virtualization Team (xen userspace), Red Hat


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-devel] Logging Access to HDD, Sebastian Biedermann RE: [Xen-devel] Logging Access to HDD, James Harper Re: [Xen-devel] Logging Access to HDD, Sebastian Biedermann Re: [Xen-devel] Logging Access to HDD, Michal Novotny Re: [Xen-devel] Logging Access to HDD, Sebastian Biedermann Re: [Xen-devel] Logging Access to HDD, Heiko Wundram Re: [Xen-devel] Logging Access to HDD, Michal Novotny <= Re: [Xen-devel] Logging Access to HDD, Laszlo Ersek Re: [Xen-devel] Logging Access to HDD, Michal Novotny

Previous by Date:	Re: [Xen-devel] Logging Access to HDD, Heiko Wundram
Next by Date:	Re: [Xen-devel] Logging Access to HDD, Laszlo Ersek
Previous by Thread:	Re: [Xen-devel] Logging Access to HDD, Heiko Wundram
Next by Thread:	Re: [Xen-devel] Logging Access to HDD, Laszlo Ersek
Indexes:	[Date] [Thread] [Top] [All Lists]