Current guest's Process ID from outside guest

Discussions related to using the OSE version of VirtualBox.
Post Reply
C0reDev
Posts: 8
Joined: 28. Sep 2017, 14:24

Current guest's Process ID from outside guest

Post by C0reDev »

Hi there,
Is there any way to know from outside VirtualBox which process is running currently in guest's user mode?
For example I want to reference from my own routine inside VBoxDrv.sys (which is in root-mode) and know which thread is running currently inside guest.
I run windows host and Windows guest.
I know that if I have access from VBoxDrv.sys to current context of guests virtual CPU - there is a way.
I can get it's KPCR structure from it's GS register and from there the path is known.
So I'm facing right now 2 problems:
1) Referencing the virtual CPU current context of the guest from VBoxDrv.sys code (implement my own routine to do that, but I need the reference to the vCpu).
2) A way to translate the "Guest's Virtual Address" to "Guest's Physical Address". How can I do that?

Thanks in advance,
~C0reDev~
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Current guest's Process ID from outside guest

Post by michaln »

What are you trying to achieve exactly?
C0reDev
Posts: 8
Joined: 28. Sep 2017, 14:24

Re: Current guest's Process ID from outside guest

Post by C0reDev »

michaln wrote:What are you trying to achieve exactly?
When guest runs a thread, it executes under some process context, which a process id is assigned to. I want, somehow, to know every time the host would demand - "what process is the guest running right now?" (no matter which thread runs, just to know the process context in the guest).
Having a mapping of process name to pid of guests is possible (for example, each time a process in guest is started - it will send the host through some kind of communication the process name and pid).
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Current guest's Process ID from outside guest

Post by michaln »

VirtualBox does not have any concept of a "guest process". It doesn't really have a concept of a "guest OS" to speak of. It is a virtual PC, it just executes instructions. It doesn't know or care what processes, if any, are running inside the VM.
C0reDev
Posts: 8
Joined: 28. Sep 2017, 14:24

Re: Current guest's Process ID from outside guest

Post by C0reDev »

michaln wrote:VirtualBox does not have any concept of a "guest process". It doesn't really have a concept of a "guest OS" to speak of. It is a virtual PC, it just executes instructions. It doesn't know or care what processes, if any, are running inside the VM.
Yeah, it's true.
However, I thought maybe if we assume that the Host is permanent and known, and the Guest OS can only be one known OS (e.g. Windows 10 64 bit build 1607) - maybe there is a way to manipulate the VMM in such a way so that it will reveal (by demand) the process id of the current guest's context running thread. (This assumption is ok for me)
For example, if there is a way to implement a routine in the VBoxDrv driver so that it will get from the VMM the current PID, as for the VMM to get the PID from the vCpu -> GS register -> KPCR -> KPRCB -> KTHREAD (ETHREAD) -> CLIENT_ID -> UniqueProcess (Pid).
All with known offsets only because it's a specific build of a specific OS of course.

Is there a way to do so? Maybe other "hacky" way?
Thanks.
michaln
Oracle Corporation
Posts: 2973
Joined: 19. Dec 2007, 15:45
Primary OS: MS Windows 7
VBox Version: PUEL
Guest OSses: Any and all
Contact:

Re: Current guest's Process ID from outside guest

Post by michaln »

Check the VM debugger (source code in src\VBox\Debugger). It can detect the OS type and such things. It's doable, it's just not something we ever found useful.
Post Reply