<br><br>On Thursday, April 6, 2017, W. Michael Petullo <<a href="mailto:mike@flyn.org">mike@flyn.org</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">>> I am writing some software that monitors a guest VM using virtual-machine<br>
>> introspection and "hijacks" system calls under certain conditions. For<br>
>> example, the program might inject an int3/breakpoint into the guest<br>
>> kernel at the entry point to sys_open. When the breakpoint is hit, the<br>
>> program might set the guest instruction pointer to the address to which<br>
>> sys_open would have itself returned and set register RAX to some desired<br>
>> error-code return value.<br>
>><br>
>> The problem I am encountering is that for some reason the process is<br>
>> triggering a "uprobe ... failed to handle uretprobe" message from the<br>
>> guest kernel. I do not yet know enough about uprobes to understand what<br>
>> might be causing this. Is there something in procedures such as sys_open<br>
>> which must execute to prevent the error which causes the kernel to print<br>
>> this message?<br>
<br>
>> What vm hypervisor do you use?<br>
<br>
We are using Xen + libvmi.<br>
<br>
I have continued to read the kernel sources, and as best as I can<br>
understand it the kernel installs uprobe instrumentation if it detects<br>
a software breakpoint. Our program does not reinject the software<br>
breakpoints it services back into the guest, so I am still trying to<br>
figure out why uprobes seems to get triggered.<br>
<br>
--<br>
Mike<br>
<br>
:wq<br>
</blockquote><div><br></div><div>I am not really into xen, but afaik both guest and host xen kernel is modified in order to facilitate hypercall</div><div><br></div><div>Thus, i suggest you study first how hypercall works</div><div><br></div><div>Regards,</div><div><br></div><div>Mulyadi</div><br><br>-- <br>regards,<br><br>Mulyadi Santosa<br>Freelance Linux trainer and consultant<br><br>blog: <a href="http://the-hydra.blogspot.com">the-hydra.blogspot.com</a><br>training: <a href="http://mulyaditraining.blogspot.com">mulyaditraining.blogspot.com</a><br>