Conversation

Does anyone know if it's possible to trigger VM-exit on transition between kernelmode <-> usermode? Ideally, when CPL is changed. I'm aware that there probably won't be a direct way, but I can't even think of any "trick" that would bring me close.

namazso

@namazso

I think a way could be just making LSTAR point at invalid address, and exiting on all interrupts. Then MTF-ing over all the kernelmode code until we get back to usermode again. This is probably even slower than your proposed solution, since that's almost how hvs worked before EPT

9:15 PM · Jul 1, 2019

Petr Beneš

@PetrBenes

Jul 1, 2019

That would be painfully slow and it would resolve only syscalls (which can be much easily solved by EFER.SCE=0). Interrupts/exceptions is what's bugging me the most.

namazso

@namazso

Jul 1, 2019

Hm, maybe you could do what hypervisors before EPT used to do with copying, monitoring writes and spoofing to a shadow page table for each normal page table, except with two for each, one um executable, one km executable. Should be faster than rebuilding EPT every new CR3

Show replies