CN118503959A - Memory monitoring method under Windows operating system based on hardware virtualization technology - Google Patents
Memory monitoring method under Windows operating system based on hardware virtualization technology Download PDFInfo
- Publication number
- CN118503959A CN118503959A CN202410511259.6A CN202410511259A CN118503959A CN 118503959 A CN118503959 A CN 118503959A CN 202410511259 A CN202410511259 A CN 202410511259A CN 118503959 A CN118503959 A CN 118503959A
- Authority
- CN
- China
- Prior art keywords
- memory
- virtual machine
- monitored
- ept
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000005516 engineering process Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000012544 monitoring process Methods 0.000 title claims abstract description 32
- 238000013507 mapping Methods 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 abstract description 4
- 230000006399 behavior Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- VLCQZHSMCYCDJL-UHFFFAOYSA-N tribenuron methyl Chemical group COC(=O)C1=CC=CC=C1S(=O)(=O)NC(=O)N(C)C1=NC(C)=NC(OC)=N1 VLCQZHSMCYCDJL-UHFFFAOYSA-N 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a memory monitoring method under a Windows operating system based on a hardware virtualization technology, which comprises the following steps: the method comprises the steps of firstly determining a target, and determining a memory area or page needing to be monitored and controlled and a specific memory access type needing to be monitored. And secondly, writing a virtual machine monitor program, and creating a virtualized environment by utilizing a hardware virtualization technology. The virtual machine monitor will be responsible for managing and monitoring the execution of guest operating systems and implementing the EPT Hook. EPT is then set and enabled, and in the virtual machine monitor, EPT technology is enabled to manage memory accesses of the virtual machine. EPT allows virtual machine monitor to control the mapping of virtual address space to physical address space and fine-grained entitlement control of memory pages. And finally, processing access, and realizing the processing logic for the captured memory access in the virtual machine monitoring program. According to the monitoring requirement, accessing content, intercepting malicious operations or executing other custom operations is recorded. The invention provides a powerful tool for the safety field.
Description
Technical Field
The invention belongs to the technical field of virtualization security, in particular to a computer operating system and a virtualization technology, and particularly relates to a memory monitoring method under a Windows operating system based on a hardware virtualization technology.
Background
Hardware virtualization technology plays a key role in today's computer domain. With the popularity of cloud computing and virtualization technologies, hardware virtualization technologies are becoming increasingly important. Through hardware virtualization technology, a computer system can virtualize physical resources into a plurality of logical entities, thereby realizing better resource utilization and flexibility. For example, one physical server can run multiple virtual machines at the same time, and each virtual machine can independently run different operating systems and application programs, so as to realize isolation and management of resources. Intel VT (Virtualization Technology) is a mainstream hardware virtualization technology that provides a series of instructions and functions for virtualization software, so that the virtualization software can manage virtual machines and physical resources more efficiently. Through Intel VT technology, virtualization software can better utilize hardware resources and provide better performance and reliability.
In today's network environment, the threat of malware is increasing. Malware may attack a system with vulnerabilities in the system memory or malicious code hidden in memory, resulting in system crashes, information leaks, or other security issues. Thus, timely discovery and prevention of malware activity is critical to protecting system security. In the context of Windows operating systems, the threat of malware is particularly serious due to its wide application and openness. Researchers have been looking for efficient and safe memory monitoring methods in order to discover and prevent malware activity in time. Memory monitoring methods based on hardware virtualization technology have been attracting attention because of their advantages in terms of performance, security and applicability.
The memory monitoring method based on the hardware virtualization technology utilizes the virtualization technology to monitor and manage the system memory on the hardware level. The EPT (Extended Page Tables) technique, among other things, is a common technique that allows for fine-grained access control and monitoring of memory pages in a virtual machine monitor. Through the EPT technology, the activities of malicious software in the memory can be monitored and defended in real time, and the safety and stability of the system are improved.
EPT technology provides an effective solution for memory monitoring. The system memory is monitored and controlled by the virtual machine monitoring program on a hardware level, so that the activity of malicious software can be detected and prevented in the system memory in real time. Traditional software-level memory monitoring methods may be limited by operating systems or applications, and it may be difficult to achieve comprehensive monitoring and control of system memory. Therefore, the memory monitoring method based on the hardware virtualization technology has higher safety and efficiency. In addition, the memory monitoring method at the kernel level can be detected by malicious code at the kernel level. The virtualization authority is higher than the kernel authority, so that various malicious behaviors in the memory of the computer system can be monitored in a non-sensing manner, and the safety and stability of the whole computer system are ensured. The memory monitoring method based on the hardware virtualization technology has higher security and efficiency, and provides powerful support for security defense of the system.
Disclosure of Invention
The invention aims to overcome the defects in the prior art, and provides a memory monitoring method under a Windows operating system based on a hardware virtualization technology. The method utilizes the hardware virtualization technology to create a virtual machine management program on the host machine, and enables the original system to be changed into a virtual machine managed by the virtual machine management program, so that the reading, writing and execution behaviors or combination conditions of behaviors of any memory can be monitored. The method can realize complete hiding of the operating system, and the operating system cannot sense the existence of the monitoring behavior.
The method comprises the following steps:
Step 1: the determination of the memory area or page to be monitored and controlled, and the particular memory access type to be monitored, such as read, write or execute, or a combination of access types, is encoded into the virtual machine hypervisor.
Step2: a virtual machine manager is written and a virtualized environment is created by utilizing Intel VT technology. The virtual machine manager is loaded by the system as a Windows driver.
Step 3: in the virtual machine monitor, an EPT table is set to define the mapping relationship of the client physical address to the host physical address, and the required access rights are specified for each page. In a virtual machine monitor, EPT techniques are enabled to manage memory accesses of virtual machines.
Step 4: and in the EPT table, modifying the access authority of the target page into a corresponding mode. For example, if a memory read is to be monitored, the memory is set to unreadable, if a memory write is to be monitored, the memory is set to non-writable, and if a memory execute is to be monitored, the memory is set to non-executable.
Step 5: when the virtual machine returns to the root mode, the memory condition is recorded, and the entry in the EPT table is updated according to the reason that the virtual machine exits. And then continue executing instructions in the virtual machine.
Further, in step 1 of the present invention, determining the memory area or page to be monitored and controlled, and the specific memory access type to be monitored, such as read, write or execute, includes:
Step 1-1: determining memory regions or pages in a Windows system that need to be monitored and controlled, obtaining addresses of physical memory within a range, and the particular memory access type that needs to be monitored, such as read, write, or execute, or a combination of access types.
Step 1-2: the memory area to be monitored is divided into 4K sizes, each page 4K is aligned, the page address and the access type corresponding to the page are recorded, and the information is stored in a global linked list.
Further, in step 2 of the present invention, writing a virtual machine monitor program, creating a virtualized environment by using Intel VT technology, including:
step 2-1: for the core in each CPU, bit 14 in the cr4 register is set.
Step 2-2: for the cores in each CPU, a virtual machine is started on the CPU with vmxon instructions.
Step 2-3: for the cores in each CPU, the virtual machine current state is cleared with vmclear instructions and the virtual machine state area is loaded into the CPU with vmptrld instructions.
Step 2-4: for the cores in each CPU, virtual machine state is set, and the state of the host is copied to the corresponding locations in the required VMXON and VMCS regions.
Step 2-5: for each core in the CPU, a stack space is created that corresponds to what needs to be used in virtual machine root mode. And writes the stack address to the corresponding location.
Step 2-6: for each core in the CPU, the virtual machine is started with vmlaunch instructions.
Further, in step 3 of the present invention, in the virtual machine monitor, the EPT table is set to define the mapping relationship from the virtual address to the physical address, and the required access right is specified for each page. In a virtual machine monitor, enabling EPT technology to manage memory access of a virtual machine, comprising:
step 3-1: an EPT table is created for each core.
Step 3-2: filling in an EPT table, and carrying out 1 on the physical address in the host machine and the physical address in the virtual machine: 1 mapping. I.e. the physical address in the host is pointed to the same location as the physical address in the physical machine. And sets all physical memory access rights to readable, writable and executable.
Step 3-3: and correctly set Vmcs. The address of the EPT table is written with vmwrite instructions.
Further, in step 4 of the present invention, in the EPT table, the access right of the target page is modified to a corresponding mode. For example, if a memory read is to be monitored, the memory is set to unreadable, if a memory write is to be monitored, the memory is set to non-writable, if a memory execute is to be monitored, the memory is set to non-executable, including:
Step 4-1: and in the EPT table, modifying the access authority of the target page into a corresponding mode. If a memory read is to be monitored, the memory is set to unreadable, if a memory write is to be monitored, the memory is set to non-writable, if a memory execute is to be monitored, the memory is set to non-executable
Step 4-2: the EPT table is refreshed using the INVEPT instruction.
Further, in step 5 of the present invention, when the virtual machine returns to the root mode, the memory condition is recorded, and according to the reason that the virtual machine exits, the entry in the EPT table is updated. Then continue executing instructions in the virtual machine, including:
step 5-1: when the virtual machine returns to the root mode, the reason for the virtual machine to exit is recorded.
Step 5-2: and updating the entry in the EPT table according to the reason of the virtual machine exit and the data in the global linked list. The permissions in the EPT for the corresponding address are set to readable, writable and executable. And flush the EPT table using the INVEPT instruction.
Step 5-3: monitor Trap Flag in the virtual machine is set so that it can return to root mode after running 1 instruction in the virtual machine.
Step 5-4: when returning to root mode, the entries in the EPT table are restored and the EPT table is refreshed using the INVEPT instruction. The virtual machine then continues to run.
The beneficial effects are that:
1. The invention is realized based on hardware virtualization technology, and utilizes the hardware virtualization expansion function of the Intel processor. This has advantages in performance and efficiency, and is more efficient than software-level methods.
2. The invention allows fine-grained access control and monitoring of memory pages using hardware virtualization techniques. The method can accurately monitor and control specific memory pages or address ranges, and can accurately intercept and process memory access.
3. In a 64-bit operating system, protection mechanisms such as PatchGuard of the Windows system limit the ability to make changes directly to the kernel. And the hardware virtualization technology is utilized to realize the monitoring and control of the memory at the virtualization level, so that the protection mechanisms can be bypassed, and the monitoring of the kernel and the user state program is realized.
4. The invention can provide higher security by utilizing the hardware virtualization technology, because the operation is implemented at the hardware level, and is not easy to be bypassed or tampered by malicious programs. Meanwhile, the memory access of the malicious program can be monitored and intercepted in real time, malicious behaviors can be found and prevented in time, and the safety of the system is improved.
Drawings
FIG. 1 is a flow chart of the overall process of the present invention.
FIG. 2 is a flow chart of determining and recording a memory area that needs to be monitored and controlled in accordance with the present invention.
Fig. 3 is a flowchart of a subsequent process when the virtual machine returns to the root mode in the present invention.
Detailed Description
Embodiments of the invention are disclosed in the drawings, and for purposes of explanation, numerous practical details are set forth in the following description. However, it should be understood that these practical details are not to be taken as limiting the invention. That is, in some embodiments of the invention, these practical details are unnecessary.
The invention relates to a memory monitoring technology under a Windows operating system based on Intel VT technology, which comprises the steps of firstly determining a target, determining a memory area or page needing to be monitored and controlled and determining a specific memory access type needing to be monitored. And secondly, writing a virtual machine monitor program, and creating a virtualization environment by utilizing the Intel VT technology. This virtual machine monitor will be responsible for managing and monitoring the execution of guest operating systems and implementing the EPT Hook. EPT is then set and enabled, and in the virtual machine monitor, EPT technology is enabled to manage memory accesses of the virtual machine. EPT allows the virtual machine monitor to control the mapping of host to guest host physical address space and fine-grained entitlement control of memory pages. And finally, processing the access, and in the virtual machine monitor program, realizing processing logic for the captured memory access. Access to content, interception of malicious operations, or execution of other custom operations may be recorded according to monitoring needs.
Specifically, the invention relates to a memory monitoring method under a Windows operating system based on a hardware virtualization technology, as shown in FIG. 1, which comprises the following steps:
step 1: the determination of the memory area or page to be monitored and controlled, and the particular memory access type to be monitored, such as read, write or execute, or a combination of access types, is encoded into the virtual machine hypervisor. As shown in fig. 2, specifically:
Step 1-1: determining memory regions or pages in a Windows system that need to be monitored and controlled, obtaining addresses of physical memory within a range, and the particular memory access type that needs to be monitored, such as read, write, or execute, or a combination of access types.
Step 1-2: dividing the memory area to be monitored into 4K sizes, aligning the size of each page 4K, recording the page address and the access type corresponding to the page, creating a global linked list, and storing the page address and the access type information into the global linked list. The linked list is then queried when the virtual machine exits to root mode.
Step 2: a virtual machine manager is written and a virtualized environment is created by utilizing Intel VT technology. The virtual machine manager is loaded by the system as a Windows driver. The method comprises the following steps:
step 2-1: for the core in each CPU, bit 14 in the cr4 register is set.
Step 2-2: for the cores in each CPU, a virtual machine is started on the CPU with vmxon instructions.
Step 2-3: for the cores in each CPU, the virtual machine current state is cleared with vmclear instructions and the virtual machine state area is loaded into the CPU with vmptrld instructions.
Step 2-4: for the cores in each CPU, setting a virtual machine state, and copying the state of the host to the required VMXON area and the position corresponding to the host in the VMCS area. For example, the segment registers and control registers of the current system are written into the memory of host information in the VMCS region. A specific value is written into the VMCS control region to turn on the EPT function. For each core in the CPU, a stack space is created that corresponds to what needs to be used in virtual machine root mode. And writes the stack address to the corresponding location. The address of the virtual machine exit handling function is written to vmcs_host_rip.
Step 2-5: for the cores in each CPU, the state of the host is copied to the location in the required VMXON area and VMCS area corresponding to the guest host. For example, the segment registers and control registers of the current system are written into the memory of the guest information in the VMCS region.
Step 2-6: for each core in the CPU, the virtual machine is started with vmlaunch instructions.
Step 3: in the virtual machine monitor, an EPT table is set to define the mapping relationship of the client physical address to the host physical address, and the required access rights are specified for each page. In a virtual machine monitor, EPT techniques are enabled to manage memory accesses of virtual machines. The method comprises the following steps:
Step 3-1: an EPT table is created for each core. The EPT tables need to be aligned in 4K size. The EPT table contains entries for PML4, PML3, and PML2, where PML4 contains the first 512G of memory in the physical address. PML3 contains a first 512G memory PML2 entry, the PML2 entry containing a mapping of the host physical address to the guest host physical address.
Step 3-2: filling in an EPT table, and carrying out 1 on the physical address in the host machine and the physical address in the virtual machine: 1 mapping. I.e. the physical address in the host is pointed to the same location as the physical address in the physical machine. And sets all physical memory access rights to readable, writable and executable.
Step 3-3: for each core in the CPU, the address of the EPT table is written to the VMCS_CTRL_EPT_POINTER region in Vmcs with the vmwrite instruction.
Step 4: and in the EPT table, modifying the access authority of the target page into a corresponding mode. For example, if a memory read is to be monitored, the memory is set to unreadable, if a memory write is to be monitored, the memory is set to non-writable, and if a memory execute is to be monitored, the memory is set to non-executable. The method comprises the following steps:
Step 4-1: and in the EPT table, modifying the access authority of the target page into a corresponding mode. If a memory read is to be monitored, the memory is set to unreadable, if a memory write is to be monitored, the memory is set to non-writable, and if a memory execute is to be monitored, the memory is set to non-executable.
Step 4-2: the EPT table is refreshed using the INVEPT instruction.
Step 5: when the virtual machine returns to the root mode, the memory condition is recorded, and the entry in the EPT table is updated according to the reason that the virtual machine exits. And then continue executing instructions in the virtual machine. As shown in fig. 3, specifically:
Step 5-1: when the virtual machine returns to the root mode, the reason for the virtual machine to exit is recorded. If the virtual machine exits due to EPT access violations, the following steps are continued.
Step 5-2: and comparing the address which causes the virtual machine to exit with information in the global linked list, judging whether the address is an address stored in the global linked list, if so, recording the memory access condition, and updating an entry in an EPT table corresponding to the address. The permissions in the EPT for the corresponding address are set to readable, writable and executable. And flush the EPT table using the INVEPT instruction.
Step 5-3: monitor Trap Flag in the virtual machine is set so that it can return to root mode after running 1 instruction in the virtual machine.
Step 5-4: when returning to root mode, the entries in the EPT table are restored according to the information in the global linked list and the EPT table is refreshed using the INVEPT instruction. The virtual machine then continues to run.
The foregoing description is only illustrative of the invention and is not to be construed as limiting the invention. Various modifications and variations of the present invention will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, or the like, which is within the spirit and principles of the present invention, should be included in the scope of the claims of the present invention.
Claims (6)
1. A memory monitoring method under Windows operating system based on hardware virtualization technology is characterized in that: the memory monitoring method comprises the following steps:
Step 1: determining a memory area or page to be monitored and controlled, and a specific memory access type to be monitored, such as read, write or execute;
Step 2: writing a virtual machine monitoring program, and creating a virtualized environment by utilizing a hardware virtualization technology;
Step 3: setting an EPT table in a virtual machine monitor to define the mapping relation between a client physical address and a host physical address, and designating a required access right for each page;
Step 4: in the EPT table, modifying the access authority of the target page into a corresponding mode, setting the memory to be unreadable if the memory reading is required to be monitored, setting the memory to be non-writable if the memory writing is required to be monitored, and setting the memory to be non-executable if the memory execution is required to be monitored;
step 5: when the virtual machine returns to the root mode, the memory condition is recorded, the entry in the EPT table is updated according to the reason that the virtual machine exits, and then the instruction in the virtual machine is continuously executed.
2. The method for monitoring the memory under the Windows operating system based on the hardware virtualization technology according to claim 1, wherein the method is characterized by comprising the following steps: the step 1 comprises the following steps:
step 1-1: determining a memory area or page in the Windows system to be monitored and controlled, acquiring an address of a physical memory in a range and a specific memory access type to be monitored, for example, whether a specified memory is to be read, written or executed;
Step 1-2: the memory area to be monitored is divided into 4K sizes, each page 4K is aligned, the page address and the access type corresponding to the page are recorded, and the information is stored in a global linked list.
3. The method for monitoring the memory under the Windows operating system based on the hardware virtualization technology according to claim 1, wherein the method is characterized by comprising the following steps: the step 2 comprises the following steps:
step 2-1: starting a virtual machine on a CPU by vmxon instructions;
Step 2-2: loading the virtual machine state region into the CPU with vmptrld instructions;
step 2-3: setting a virtual machine state for a core in each CPU, and copying the state of a host to a required VMXON area and a corresponding position in a VMCS area;
Step 2-4: for each core in the CPU, the virtual machine is started with vmlaunch instructions.
4. The method for monitoring the memory under the Windows operating system based on the hardware virtualization technology according to claim 1, wherein the method is characterized by comprising the following steps: the step 3 comprises the following steps:
Step 3-1: creating an EPT table for each core;
Step 3-2: filling in an EPT table, and carrying out 1 on the physical address in the host machine and the physical address in the virtual machine: 1 mapping, namely the physical address in the host machine and the physical address in the physical machine point to the same position, and setting all physical memory access rights to be readable, writable and executable;
Step 3-3: correctly set Vmcs, write the address of the EPT table with vmwrite instruction.
5. The method for monitoring the memory under the Windows operating system based on the hardware virtualization technology according to claim 1, wherein the method is characterized by comprising the following steps: step 4 comprises:
Step 4-1: in the EPT table, modifying the access authority of the target page into a corresponding mode, setting the memory to be unreadable if the memory reading is required to be monitored, setting the memory to be non-writable if the memory writing is required to be monitored, and setting the memory to be non-executable if the memory execution is required to be monitored;
Step 4-2: the EPT table is refreshed using the INVEPT instruction.
6. The method for monitoring the memory under the Windows operating system based on the hardware virtualization technology according to claim 1, wherein the method is characterized by comprising the following steps: the step 5 comprises the following steps:
step 5-1: when the virtual machine returns to the root mode, recording the memory access condition;
Step 5-2: updating an entry in the EPT table according to the reason of the virtual machine exit, setting the authority in the EPT of the corresponding address to be readable, writable and executable, and refreshing the EPT table by using an INVEPT instruction;
Step 5-3: monitor Trap Flag in the virtual machine is set, so that the virtual machine can return to a root mode after 1 instruction in the virtual machine is run;
step 5-4: when returning to the root mode, the entries in the EPT table are restored, and the EPT table is refreshed using the INVEPT instruction, and then the virtual machine continues to run.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410511259.6A CN118503959A (en) | 2024-04-26 | 2024-04-26 | Memory monitoring method under Windows operating system based on hardware virtualization technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410511259.6A CN118503959A (en) | 2024-04-26 | 2024-04-26 | Memory monitoring method under Windows operating system based on hardware virtualization technology |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118503959A true CN118503959A (en) | 2024-08-16 |
Family
ID=92235632
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410511259.6A Pending CN118503959A (en) | 2024-04-26 | 2024-04-26 | Memory monitoring method under Windows operating system based on hardware virtualization technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118503959A (en) |
-
2024
- 2024-04-26 CN CN202410511259.6A patent/CN118503959A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10810309B2 (en) | Method and system for detecting kernel corruption exploits | |
| EP1939754B1 (en) | Providing protected access to critical memory regions | |
| CN109923546B (en) | Event filtering for virtual machine security applications | |
| US7418584B1 (en) | Executing system management mode code as virtual machine guest | |
| US7127548B2 (en) | Control register access virtualization performance improvement in the virtual-machine architecture | |
| KR102383900B1 (en) | Region identifying operation for identifying region of a memory attribute unit corresponding to a target memory address | |
| JP6411494B2 (en) | Page fault injection in virtual machines | |
| US20170357592A1 (en) | Enhanced-security page sharing in a virtualized computer system | |
| US20160210069A1 (en) | Systems and Methods For Overriding Memory Access Permissions In A Virtual Machine | |
| US7506121B2 (en) | Method and apparatus for a guest to access a memory mapped device | |
| CN109074321B (en) | Method and system for protecting memory of virtual computing instance | |
| US10061918B2 (en) | System, apparatus and method for filtering memory access logging in a processor | |
| WO2020057394A1 (en) | Method and device for monitoring memory access behavior of sample process | |
| EP3881189B1 (en) | An apparatus and method for controlling memory accesses | |
| US10620985B2 (en) | Transparent code patching using a hypervisor | |
| US11734430B2 (en) | Configuration of a memory controller for copy-on-write with a resource controller | |
| US20100138616A1 (en) | Input-output virtualization technique | |
| KR20230101826A (en) | Techniques for restricting access to memory using capabilities | |
| JP2021512405A (en) | Controlling protected tag checking in memory access | |
| CN118503959A (en) | Memory monitoring method under Windows operating system based on hardware virtualization technology | |
| KR20220156028A (en) | invalidate memory accessor | |
| US11989425B2 (en) | Apparatus and method for controlling access to a set of memory mapped control registers | |
| JP7369720B2 (en) | Apparatus and method for triggering actions | |
| Zhou et al. | PointerLock: Protecting Function Pointers with Access Control on Page | |
| GB2623800A (en) | Stack pointer switch validity checking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |