Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 4  
15 Jul 17 15:22
Paul Smith
xxxxxx@gmail.com
Join Date: 29 Jun 2011
Posts To This List: 12
VT-X EPT experiment

I modified SimpleVisor (a small windows hypervisor implemented as a driver) to remove RW access to guest's PML4. I remove RW access on every syscall (I've pml4 physical address from guest's CR3). This causes an EPT violation immediately when accessing the kernel address space, which is ok. As a test, I handle this violation by restoring RW access to guest's PML4 and continue guest. This method works for 1-2s, then the OS hangs (vmware) or restarts after few seconds (bare metal). All debug output in windbg stops and windbg becomes unresponsive. How is this possible? I've asserts in my code to break on GuestCR3 == HostCR3 and it's not triggered. In what other situations above method is wrong? The hypervisor runs on IRQL=HIGH_LEVEL so it can't be preempted by another thread -- this eliminates concurrency issues, correct?
  Message 2 of 4  
15 Jul 17 20:47
Jan Bottorff
xxxxxx@pmatrix.com
Join Date: 16 Apr 2013
Posts To This List: 394
VT-X EPT experiment

Running at HIGH_LEVEL only eliminates concurrency if you are running on a single core. You likely are running on multiple cores, and raising the IRQL does not synchronize between cores. Jan On 7/15/17, 12:21 PM, "xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com" <xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com> wrote: The hypervisor runs on IRQL=HIGH_LEVEL so it can't be preempted by another thread -- this eliminates concurrency issues, correct?
  Message 3 of 4  
16 Jul 17 01:59
Paul Smith
xxxxxx@gmail.com
Join Date: 29 Jun 2011
Posts To This List: 12
VT-X EPT experiment

I'm testing on single core.
  Message 4 of 4  
17 Jul 17 09:08
Gerhart
xxxxxx@gmail.com
Join Date: 18 May 2014
Posts To This List: 9
VT-X EPT experiment

Try disable all debug output. Frequent calls of DbgPrint can hang your system (using WPP can help with that). And what does mean "I remove RW access on every syscall. This causes an EPT violation immediately when accessing the kernel address space, which is ok."? You block every kernel page? Or all pages which contains functions from SDT?
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 05:51.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license