WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-api

[Xen-API] Hypercall to modify IDT - rootkit development

To: xen-api@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-API] Hypercall to modify IDT - rootkit development
From: Elena <elena.junk@xxxxxxxxx>
Date: Tue, 9 Feb 2010 20:31:51 +0100
Delivery-date: Tue, 09 Feb 2010 11:31:49 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type; bh=A2qwS5yZwzNNYh5UkrjKRPHQFSbQ5kVIQ2EZ1w4Otqs=; b=ftSCOQlCSFdHl5S2auxp1yxY6+p+i9nr+k82duIWrDarEHZbT6qRbK/HJkxX0mQSCh rPvp9xiEWLusR8pFv9SMwtoKS9zYw8eNlFbJ0igAdKBOxW3168+woz2EnFnXJZC5e91u jFxVjRMyNdWcqHAYHVUp+8/oD//h/RxhkP8AM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type; b=f7VBWq6lMdJEpFXxrev0vKckM15IdKZwCa37fdIDXnb8H1Q6omq4Ns455yfyv8xc5j C4Bq5bfrE3iTKQdjFzd2EQlMk69JzL0JHUxtC54tmUIyTGC0YUZDK/hFOOZYOCwI65fC iEObFXQW5GCNl+RBZpwF//epp3QyU4ojwLOb4=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-api-request@lists.xensource.com?subject=help>
List-id: Discussion of API issues surrounding Xen <xen-api.lists.xensource.com>
List-post: <mailto:xen-api@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-api>, <mailto:xen-api-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-api-bounces@xxxxxxxxxxxxxxxxxxx
Hi,

I'd like to try a construct a simple rootkit for guest paravirtualized VM in Xen (linux 2.6.18.8 kernel and xen 3.2.1).
I'd like to do a Interrupt Hooking, like modifying the first few instructions of the interrupt handler.
I know that in a guest paravirtualization it is a virtual IDT, but I don't know how to modify it.
What hypercall is involved to do this?

In other words I'd like testing my hypercall interception from dom0, with a final aim to detect those type of rootkit.

Thanks in advance and sorry for my English :-)
Elena
_______________________________________________
xen-api mailing list
xen-api@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/mailman/listinfo/xen-api
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-API] Hypercall to modify IDT - rootkit development, Elena <=