[vbox-dev] How does VirtualBox catch privileged instructions?
andreidf at yahoo.com
Thu Apr 22 23:59:40 PDT 2010
I've posted the question on the forum ( http://forum.virtualbox.org/viewtopic.php?f=6&t=30091 ) but it's probably best asked here.
I've searched but I couldn't find yet a concrete answer to the question of how does VirtualBox catch privileged instructions (without hardware virtualized support)?
For example when executing raw in/out instructions in guest user mode the instructions would usually generate a General Protection exception. Does VirtualBox patch the #GP vector in Windows host's IDT to trap it? Does VirtualBox receive an information from Windows host after the Microsoft's original kernel interrupt executed? (seems unlikely).
Does VirtualBox keeps patching and un-patching IDT for every instance of VirtualBox guest that is running? When a guest is descheduled for execution does VBox un-patch IDT / load Windows's original interrupt descriptor table ?
If VirtualBox patches IDT how does it do it on Windows 64 bit which runs PatchGuard and which should stop non Microsoft drivers modifying IDT? (it's a must to have support from hardware virtualization?)
I've run VMWare and VirtualBox at the same time on a Windows XP SP3, 32 bit host. I've checked the address of IDT from user mode with sidt instruction (in a loop to see if it changes) and it was like this:
VMWare: FFC18000 (if acceleration was disabled sidt was emulated and it showed 8003F400)
VirtualBox: F8808190 (with disabled VT-x/AMD-V)
real machine: 8003F400 / BAB3C590 (CPU with two cores).
>From what I understand sidt can't be caught so the values should be normally unmodified by VMM (unless patched) and if there was an exception the CPU would automatically and directly jump to the address stored in IDT.
But I can't seem to be able to read memory at F8808190 or FFC18000 (but I can read the IDT tables from 8003F400 / BAB3C590 and the addresses in them seem to point to ntkrnlpa.exe).
More information about the vbox-dev