Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

process_event() will not necessarly return the right syscall #74

Open
aghamir opened this issue Nov 13, 2018 · 1 comment
Open

process_event() will not necessarly return the right syscall #74

aghamir opened this issue Nov 13, 2018 · 1 comment

Comments

@aghamir
Copy link

aghamir commented Nov 13, 2018

Hi @Wenzel ,
Pushing syscall and poping it will not return the right one in all situations. Consider the situation where context switch occurs in the middle of handling one syscall. I think the previous version of process_event which calculates the name every time was better than this version.
@Wenzel
Copy link
Member

Wenzel commented Nov 13, 2018

That's true, i wanted to fix this for a while but I had more pressing matters to deal with.

At the beginning, I wanted to maintain a table of [CR3] -> [syscall_stack] to solve this I think, but you have syscalls that return from kernel mode with iret that we cannot catch. so some stack would only get bigger with time ...

At this point I started to work on the Bitdefender patches which will provide the next official VMI interface on KVM, should be easier to implement something on top of it.
Please look at the kvmi branches 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Wenzel @aghamir