[Question] Get exit qualification

Question

[Question] Get exit qualification

no-realm opened this issue 7 years ago · comments

Hey,

I am trying to extend this example by reading the exit qualification.
So, how do I get them? After looking at the documentation, I 'think' I found it:

intel_x64::vmcs::exit_qualification::ept_violation::data_read.is_enabled();

But the ept_violation namespace doesn't seem to have data_execute namespace member.
Since I only need to switch the page when the code is getting executed, I really need to know whether it is accessed that way.

After getting this to work, I plan on using shadow pages, instead of just changing the RIP.

Rian Quinn · Answer 1 · Mon May 29 2017 03:08:45 GMT+0800 (China Standard Time)

It's called 'instruction_fetch' as that is what it's called in the Intel SDM. So the code would be:

intel_x64::vmcs::exit_qualification::ept_violation::instruction_fetch::is_enabled()

K · Answer 2 · Mon May 29 2017 03:10:41 GMT+0800 (China Standard Time)

Ah, didn't know that 😄
Anyway, thanks.

Rian Quinn · Answer 3 · Mon May 29 2017 03:11:09 GMT+0800 (China Standard Time)

no problem, glad I could help