Hello,
I've posted the question on the forum (
http://forum.virtualbox.org/viewtopic.php?f=6&t=30091 ) but it's probably best
asked here.
I've searched but I couldn't find yet a concrete answer to the question of how
does VirtualBox catch privileged instructions (without hardware virtualized
support)?
For example when executing raw in/out instructions in guest user mode the
instructions would usually generate a General Protection exception. Does
VirtualBox patch the #GP vector in Windows host's IDT to trap it? Does
VirtualBox receive an information from Windows host after the Microsoft's
original kernel interrupt executed? (seems unlikely).
Does VirtualBox keeps patching and un-patching IDT for every instance of
VirtualBox guest that is running? When a guest is descheduled for execution
does VBox un-patch IDT / load Windows's original interrupt descriptor table ?
If VirtualBox patches IDT how does it do it on Windows 64 bit which runs
PatchGuard and which should stop non Microsoft drivers modifying IDT? (it's a
must to have support from hardware virtualization?)
I've run VMWare and VirtualBox at the same time on a Windows XP SP3, 32 bit
host. I've checked the address of IDT from user mode with sidt instruction (in
a loop to see if it changes) and it was like this:
VMWare: FFC18000 (if acceleration was disabled sidt was emulated and it
showed 8003F400)
VirtualBox: F8808190 (with disabled VT-x/AMD-V)
real machine: 8003F400 / BAB3C590 (CPU with two cores).
>From what I understand sidt can't be caught so the values should be normally
>unmodified by VMM (unless patched) and if there was an exception the CPU would
>automatically and directly jump to the address stored in IDT.
But I can't seem to be able to read memory at F8808190 or FFC18000 (but I can
read the IDT tables from 8003F400 / BAB3C590 and the addresses in them seem to
point to ntkrnlpa.exe).
Best regards,
Andrei
_______________________________________________
vbox-dev mailing list
[email protected]
http://vbox.innotek.de/mailman/listinfo/vbox-dev
