System and method for hypervisor breakpoints
First Claim
1. A method for debugging a computer program comprising:
- selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location;
determining, in the virtual machine, a first memory page that contains the guest memory location;
replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction;
translating virtual memory to physical memory; and
in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor.
13 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems allow the use of hypervisors to use software breakpoints in the same manner as hardware breakpoints. A program to be tested is executed by a hypervisor running a virtual machine. A memory page containing the location of a breakpoint is copied to a temporary memory page. Then a new page is written containing breakpoint instructions at specified memory locations. The new page is tagged as execute only, so the program to be tested is unaware of any changes to the program. If the program attempts to read from the changed memory page, it will read from the temporary memory page instead. Such a method can be used to search websites for malware in relative safety because of the inability of the malware to write to memory locations that are located on a page that is execute only.
-
Citations
23 Claims
-
1. A method for debugging a computer program comprising:
-
selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location; determining, in the virtual machine, a first memory page that contains the guest memory location; replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction; translating virtual memory to physical memory; and in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A non-transitory machine-readable medium that stores instructions which, when executed by a machine, causes the machine to perform operations comprising:
-
selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location; determining, in the virtual machine, a first memory page that contains the guest memory location; replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction; translating virtual memory to physical memory; and in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A system for debugging a computer program comprising:
-
memory, divided into pages including at least a first memory page; a processor coupled to the memory; wherein the processor is arranged to; select, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location; determine, in the virtual machine, the first memory page that contains the guest memory location; replace, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction; translate virtual memory to physical memory; and in response to the replace, set the permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method for determining the existence of malware on websites comprising:
-
using a browser that is executing on a virtual machine to load a website into a browser; setting a breakpoint to detect indicia of malware; and logging any detected indicia of malware; wherein setting the breakpoint comprises; selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location; determining, in the virtual machine, a first memory page that contains the guest memory location; replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction; translating virtual memory to physical memory; and in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor. - View Dependent Claims (19, 20, 21, 22, 23)
-
Specification