I'm using vprobes in VMware Workstation (10.0.1 build-1379776).
I am using a dynamic probe to monitor for a guest write on a specific memory address.
My script is taken from the example:
(printf "Write to VGA text RAM.\n"))
However, the problem is that I have an error when I try to vprobeLoadFile the script.
vprobeLoadFile: error: Unrecognized characters ':0xb8000' in probe 'GUEST_WRITE:0xb8000'
vprobeLoadFile: 0 warnings, 1 errors
Error: Unknown error
I have tried many different addresses after GUEST_WRITE, but I always get the same error: "Unrecognized characters".
Also why is there only a Guest_CR3Write and not Guest_OtherRegister here? Like rax, ldtr, etc.
Thank you for using VProbes! The "VProbes Programming Reference" is a bit outdated, and we are currently working on a new, updated version.
Basically, the syntax for guest probes has changed. If you replace GUEST_WRITE with GUEST:WRITE, your script should load.
Regarding your second question, the CPU provides facilities to intercept CR3 writes made by the guest, but the same is not true for general-purpose registers, making it hard to implement what you suggest.
Just out of curiosity, what are you using VProbes for?
Thanks for the reply.
Are there any plans to extend VProbes to ESXi? Or are there any alternatives to monitor the behavior of processes in VMs running in ESXi servers?
It seems like VMware only allow vshield partners to have access to APIs for vm introspection in ESXi...
Is this true?