[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A student seeking help: HVMI instruction emulation crashes on Windows guest (tried many approaches, still stuck)

  • To: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • From: xf zhang <zhangxf344@xxxxxxxxx>
  • Date: Wed, 13 May 2026 21:41:01 +0800
  • Arc-authentication-results: i=1; mx.google.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=0bcFKawoTpQ91l/r41fpmktorNSztoRiwIetTvfC76o=; fh=quJY5mN2l4ZorNvEoO9ngNXalhEvTdq/+W8CvHWhECs=; b=kCXYuAYGVgJZjPfO+AG6lN6ZeDgz5W0UgHYT4eR9DzC+a9W/gn1lJ4RgpTFcv8q/f6 TdZy1xMjZL5hONxcvh6ZJuXkLbQMvflzYhIFqIXOwuMKn+hn+tYy9WnpBGfim5FpGwhW 7H8EwYVNU7R9ML4HNCh7JD1AsH4ZfzLpIrIFZLBFvcIH4g8g77pisZMEtrwAbnJjbPrS DbpMKqXatpfo7e4vCPhjm3njQrXhAPJt1+W9vXA6PW7FeQbzT/Z1oAUbe0SHKAd9shnk XqMW6RoI3tpErn9/QQXByJDatPrrrYcaGFa2EXURowtfIBa0z1ZgTZdLhcvWhOI0XeHK Jwug==; darn=lists.xenproject.org
  • Arc-seal: i=1; a=rsa-sha256; t=1778679673; cv=none; d=google.com; s=arc-20240605; b=ZHeUY7u9qXgAs50a5I2iUYV1nDG1VvW/87MLNTQPBg8EGDXZLSDpk4fBuXPgVkyfry uSngoA/Kb6pYdnh5EI5nEfXMLTxz8gLW+9LglXu3RDl4ttXZhM5FaN8buAJ5tP+JTLSJ tma7UpB48305WEx3zDK1GKDAEsx2h7uju1KoK6FpqQQ92QkNl9O7r5bSgXedE+dlQ/JQ c/nvSKcCalF8oKDST2RkbsrFgm4eYMIParNMYOLDSHiM4bjXh/XV0gxPgPvZsai3cJFZ SR9K03H143Arwcry/pY8cJSHm/bm5gQ5kE5iOBI6Z1EbNQFt6cjrHsdJNH20YXwJBLau hwSQ==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20251104 header.d=gmail.com header.i="@gmail.com" header.h="To:Subject:Message-ID:Date:From:MIME-Version"
  • Delivery-date: Wed, 13 May 2026 13:42:47 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Dear HVMI maintainers and Xen community,

Hello! I am a China student currently learning and researching Virtual Machine Introspection (VMI) technology. I have been working with HVMI and encountered several persistent issues. I would like to kindly ask if there are any known solutions or workarounds.

Background: To test and reproduce these issues, I have kept my Windows guest running for several days and tried many different approaches (including source code modifications and configuration changes). Unfortunately, nothing has worked so far. The issues keep recurring, and I am truly stuck. I would greatly appreciate your guidance.

Please forgive me if I have misunderstood anything.

My Environment

ItemInformation
HostLinux (Ubuntu [20.04])
GuestWindows ([Windows 10_17763_x64])
Virtualization[Xen]


Issues Encountered

When using HVMI to introspect a Windows guest, the introcore module crashes when handling certain instructions due to "spills in the next entry". Here are the specific issues:

Issue 1: MOVZX causes process crash

text
[ERROR] Access at 1aafa7 spills in the next entry, size 4, instruction 'MOVZX'
[ERROR] IntHookPtwEmulateWrite failed: 0xe1000508
process 48416 crashed

Issue 2: PUSH causes introspection engine shutdown

text
[ERROR] Access at 1aa975 spills in the next entry, size 8, instruction 'PUSH'
[ERROR] IntHookPtwEmulateWrite failed: 0xe1000508
Introcore shutdown complete

Issue 3: CMP instruction not supported

text
[ERROR] Instruction 'CMP dword ptr [rbx+0x108], esi' not supported
Introcore shutdown complete

Issue 4: Agent deployment fails (cascading effect)

text
[WARNING] Agent bdQL9CeR.exe will not be deployed as the guest is NOT initialized!

What I Have Tried (all failed)

I have spent several days trying the following approaches, but the issues persist:

  1. Source code modifications: Commented out IntBugCheck(), forced INT_STATUS_SUCCESS return

  2. Configuration changes: Tried disabling certain hook types, modified EPT protection parameters

  3. Restarting services: Restarted hvmid and the guest VM multiple times

  4. Different Windows versions: Tried both Windows 10 and Windows 7

  5. Documentation search: Searched for HVMI-related resources but found no similar solutions

My Questions

  1. Are there any known solutions or patches for these issues?

  2. Are there any plans to fix these issues in future releases?

  3. If no official fix is available yet, could you suggest any temporary workarounds? (e.g., disabling certain hook types, changing configuration parameters, etc.)

  4. Do you have any advice for a student learning HVMI and VMI technology?


Thank you for your open-source work on HVMI and the Xen community, which has given students like me the opportunity to learn and explore VMI technology. I look forward to your reply.

Best regards,

[name]Xiaofei Zhang

[School Name] Beijing University of Posts and Telecommunications

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.