记一次从零设计 Vmi 代码注入引擎:劫持、执行、清理
Jan 25 · 4 min read · 0.摘要 在虚拟化安全的研究中,如何在尽量不修改 Guest 内核的前提下执行自定义代码,一直是一个有趣且充满挑战的话题。本文尝试分享一套基于 Hypervisor 的完整代码注入思路,涵盖了从劫持 Guest 执行流、基于 EPT 的透明注入、双向通信协议到生命周期管理的全过程。 仓库位置:[mini-int3-injector].(https://github.com/ania0-art/mini-int3-injector). 1. 引言:一点背景与思考 1.1 传统方案遇到的一些挑战 ...
Join discussionHow to Set Up Multipass with VS Code on Mac: A Step-by-Step Guide
Jan 23 · 6 min read · Motivation Recently, I tried to learn some low-level system programming stuff. I am a Mac user, and I thought that everything that works on Linux should also work on Mac. After all, Mac is a Unix-based system 😊. I guess we all heard this. Oh boy! I ...
Join discussion
I Built a Spotify Clone in C (To Learn Operating Systems the Hard Way)
Jan 21 · 2 min read · Most people learn Operating Systems from textbooks. I decided to learn it by building a music streaming service from scratch. My goal was simple: Create a system where a Python Server streams raw audio to a C Client in real-time, played entirely insi...
Join discussion记一次虚拟化下的detour框架实现
Jan 17 · 6 min read · 1.Detour机制基础 1.1 什么是Detour? 在虚拟化安全监控领域,我们经常需要监控Guest OS内部的关键操作——进程创建、权限提升、内存映射变化等。传统的EPT(Extended Page Table)监控虽然可以捕获内存访问,但存在明显的局限性: 语义鸿沟:从"某个地址被写入"推断"进程被创建"需要复杂的分析 性能开销:细粒度的内存监控会产生大量VM-Exit 覆盖盲区:纯寄存器操作、链表修改等无法通过内存监控捕获 因此,我们需要一种更直接的方法:在关键函数的入口和出...
Join discussionThe Closing Statement
Jan 16 · 1 min read · The infrastructure you settle for today defines the limits of what you can achieve tomorrow. You may choose to delay, but time—and the market—will not wait for you. Architectural supremacy is no longer an option; it is a requirement for survival. W...
Join discussion
OS Design and Implementation: (Week 4) - Trap
Jan 13 · 3 min read · Lecture xv6 Book; Chapter 4 - Traps and system calls: https://pdos.csail.mit.edu/6.1810/2025/xv6/book-riscv-rev5.pdf The lecture in the 4th week was about Traps.A trap is an event that causes the CPU to switch from its current task to specific code i...
Join discussion记一次基于页表级联监控(pts/ptm)的 Ept 内存内省实践
Jan 10 · 4 min read · 0.前期准备 我们知道在x86架构下的linux操作系统中,地址变化一直是一个头痛(?)的问题,虚拟地址到物理地址的映射离不开段页式管理,而在早期的内核版本中分段式管理占据主要地位,分页式管理作为可选机制(CR0.PG = 1)。而在现代版本中,段式管理极度弱化,只剩下页式管理。 在虚拟化的环境下,外部如何实现对一块内存进行监控会遇到三个问题: 1.EPT修改权限只能按照gpa修改,然而我们面对的是gva/gla(由于分段式弱化,这俩个可以看成是一个东西),比如说某个对象的某个字段/某个模块的某...
Join discussion