[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A student seeking help: HVMI instruction emulation crashes on Windows guest (tried many approaches, still stuck)

  • To: xen-users@xxxxxxxxxxxxxxxxxxxx
  • From: xf zhang <zhangxf344@xxxxxxxxx>
  • Date: Wed, 13 May 2026 21:38:09 +0800
  • Arc-authentication-results: i=1; mx.google.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=Xct+eHH9Kf7z/Qs8502SqDZuFfQEGie9Q6URwCgJnSY=; fh=HnBu61sSZjOKSEr7aB6B3V+mQZq2g39d/nHlRZRWSA8=; b=SaiwXWjtjnHsYi7AJ8Sda6tbcB68f0FsmwQ4YEDWTJibDKFuKQgQ9DJX5wq0sX48BT tW68pJOAcMRLcOlWTenXo3poWsnTo9QPILBdLHSWvV5gEqnS4vfW7szgVv5UmrdMA1Cf G8N3ugHYY/iEqRY09C+ql8twsMVAPWG0qU+rGZfOIG8aI9hKRjSKAFQ5TvIXm/4aQNg+ Z/erIxNfsGbucoXzwkclk77pCF0nEY+RZJlAFGAvE2W83vL7FKutawtqPkMul4ZKTgO5 +23qdeCcePwZwy7B7hZBNjTB1fjrHWQk3R8GraC2oJt+AZRyGIdiFb6ikbSD68r2qV5+ wwaA==; darn=lists.xenproject.org
  • Arc-seal: i=1; a=rsa-sha256; t=1778679502; cv=none; d=google.com; s=arc-20240605; b=PEibSUj44DWGISinHu61mds1pATXJU8b4YaIMHNHl9OTRz/GB4zO3/7E6PpfHBrUo5 eiDNxeoeWkltDyj0/sysDlDO5w/IrwbKR+Ixusy6FEvQ/4ixn+AlqZs4SQrGt0BNrFVm Oj58YmD6xQDSjprimlhlXM2B8YC/r+5WbP0qbeRqjHsm4q4xJCVjcEdtIYZ0PWUTqsuF Q0wcmQpotu4CoMmYqr3gwdllNaiuuMf7QMSWE0zy7sHjQW6r6xnyHMueK/YG7QY45lc4 z9zUy9E/LTO+2L/arwqvm4gRXPunTJ0TH9YPVBL4wqrEnNb3fQ+edEihTSEdkdVODq+7 Al1w==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="To:Subject:Message-ID:Date:From:MIME-Version"
  • Delivery-date: Thu, 14 May 2026 04:07:46 +0000
  • List-id: Xen user discussion <xen-users.lists.xenproject.org>

Dear HVMI maintainers and Xen community,

Hello! I am a Chain student currently learning and researching Virtual Machine Introspection (VMI) technology. I have been working with HVMI and encountered several persistent issues. I would like to kindly ask if there are any known solutions or workarounds.

Background: To test and reproduce these issues, I have kept my Windows guest running for several days and tried many different approaches (including source code modifications and configuration changes). Unfortunately, nothing has worked so far. The issues keep recurring, and I am truly stuck. I would greatly appreciate your guidance.

Please forgive me if I have misunderstood anything.

My Environment

ItemInformation
HostLinux (Ubuntu [20.04])
GuestWindows ([Windows 10_17763_x64])
Virtualization[Xen]


Issues Encountered

When using HVMI to introspect a Windows guest, the introcore module crashes when handling certain instructions due to "spills in the next entry". Here are the specific issues:

Issue 1: MOVZX causes process crash

text
[ERROR] Access at 1aafa7 spills in the next entry, size 4, instruction 'MOVZX'
[ERROR] IntHookPtwEmulateWrite failed: 0xe1000508
process 48416 crashed

Issue 2: PUSH causes introspection engine shutdown

text
[ERROR] Access at 1aa975 spills in the next entry, size 8, instruction 'PUSH'
[ERROR] IntHookPtwEmulateWrite failed: 0xe1000508
Introcore shutdown complete

Issue 3: CMP instruction not supported

text
[ERROR] Instruction 'CMP dword ptr [rbx+0x108], esi' not supported
Introcore shutdown complete

Issue 4: Agent deployment fails (cascading effect)

text
[WARNING] Agent bdQL9CeR.exe will not be deployed as the guest is NOT initialized!

What I Have Tried (all failed)

I have spent several days trying the following approaches, but the issues persist:

  1. Source code modifications: Commented out IntBugCheck(), forced INT_STATUS_SUCCESS return

  2. Configuration changes: Tried disabling certain hook types, modified EPT protection parameters

  3. Restarting services: Restarted hvmid and the guest VM multiple times

  4. Different Windows versions: Tried both Windows 10 and Windows 7

  5. Documentation search: Searched for HVMI-related resources but found no similar solutions

My Questions

  1. Are there any known solutions or patches for these issues?

  2. Are there any plans to fix these issues in future releases?

  3. If no official fix is available yet, could you suggest any temporary workarounds? (e.g., disabling certain hook types, changing configuration parameters, etc.)

  4. Do you have any advice for a student learning HVMI and VMI technology?


Thank you for your open-source work on HVMI and the Xen community, which has given students like me the opportunity to learn and explore VMI technology. I look forward to your reply.

Best regards,

[name]Xiaofei Zhang

[School Name] Beijing University of Posts and Telecommunications

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.