[kvm] generic memory events are not being cleared properly

[andrelcmoreira]

Hi guys, I've being done some work with libvmi to monitor userspace processes. I'm catching events properly, but I want to address the scenario where the monitored process terminates their execution. For that, in my callback I'm checking if the process exist and if it doesn't, I clear the event in order to stop to receive events. Here is the code of my callback:

def __mem_cb(self, vmi, event):
    event_dict = event.to_dict()

    try:
        proc_name = event_dict['data'].name()

        if process_exists(vmi, proc_name):
            gla = int(event_dict['gla'], 0)
            pid = event_dict['data'].pid()
            paddr = vmi.translate_uv2p(gla, pid)

            print('[%s] write at %s' % (proc_name, hex(paddr)))
        else:
            print('the process doesn\'t exist')
            vmi.clear_event(event)
    except LibvmiError:
        print('failed to handle the event')

    return EventResponse.NONE

I clear the event but I still receiving page fault events ad infinitum when the process is terminated. What I'm doing wrong?

[Wenzel]

@carvalhudo this is an issue for https://github.com/libvmi/python repo. @tklengyel can you transfer it ?

[Wenzel]

You can try to enable Libvmi debug output:

cmake .. -DVMI_DEBUG=__VMI_DEBUG_ALL -DENV_DEBUG=ON
make
sudo make install
export LIBVMI_DEBUG=1
./my_python_script.py

Keep in mind that the new KVM driver is still experimental at this point.

Also, I just checked and there is no debug output in kvm_set_mem_access function.

You will have to add some dbprint(VMI_DEBUG_KVM, 'xxx') there to see whats' going on.

I hope this helps.

[andrelcmoreira]

this commit fixed the problem, thanks for the help @Wenzel, closing the issue...