VMware, Inc.
Dynamic discovery of internal kernel functions and global data

Abstract:

A method is provided for a hypervisor to dynamically discover internal address information of a guest kernel on a virtual machine. The method includes locating a kernel exported system call or function in an image of the guest kernel in guest memory of the virtual machine, disassembling machine code of the kernel exported system call or function in the image into assembly code, detecting a pattern from memory references in the assembly code, and, after detecting the pattern, determining the internal address information of the guest kernel from the assembly code.