The core component of the SVM kernel, namely SCS vm scaner (SWS) are implemented by the virtual machine, virtual machine in a nutshell is to simulate a computer, run on the computer by before a SBJ engine to identify suspected virus, and then test for a damaged computer to detect whether files for viruses, at present due to the power limit, the copyright dispute, China has no Chinese company real strength in the antivirus software widely used this technique (SVM engine though is the Chinese leading development and a leading developers are foreigners), so it is a very sophisticated technology, the following we first introduce what is a virtual machine (please skip bosses)
CPU的虚拟化:背景知识:x86 CPU有一项权限机制,把CPU的状态置于RING 0到RING 3分别使CPU具有最高的权限到最低的权限,以Linux为例,内核运行于RING 0上,而其余全部用户进程运行于RING 3上(Xen比较奇葩,Linux在Xen下面会运行于RING 1),在用户权限下,所有的IO设备是不可操作的,另外,有些控制寄存寄是无法访问的,一些privilege的指令是不能运行的,因此一个用户进程要想读写文件,进行一些操作,就要依赖于内核,系统调用能够使CPU运行于RING 0,并执行内核代码(具体方法见一些操作系统教程),背景说完,一个CPU的全部状态其实就是所有寄存器的值,只要保证任何操作之后寄存寄的值在OS看来是正确的,guest OS就可以正常执行,hypervisor会为每个虚拟的CPU创建一个数据结构,模拟CPU的全部寄存器的值,在适当的时候跟踪并修改这些值,那么考虑虚拟化一个CPU,在虚拟化的guest OS里面,CPU无论如何也不可能运行于RING 0,因为这样的话,host OS必然会crash掉,因此,当一个guest OS想要进入到RING 0执行内核代码时,hypervisor会向guest OS说谎,并告诉它,你已经在RING 0上了,而实际上,所有的指令还是在RING 3上,当guest OS访问到任何privilege的东西时,hypervisor会接到fault,此时hypervisor会判断这个指令是什么,并修改相应的虚拟寄存器的状态,然后返回,这样guest OS就可以正常的运行,需要指出的是,在大多数的指令下代码是直接跑在硬件上的,而不需要软件介入,只有在一些权限高的请求下,软件会介入,并维护虚拟的CPU状态,内存的虚拟化:背景知识:虚拟内存,页表结构等,OS的基础内容,不表,hypervisor虚拟化内存的方法是创建一个shadow page table,正常的情况下,一个page table可以用来实现从虚拟内存到物理内存的翻译,在虚拟化的情况下,由于所谓的物理内存仍然是虚拟的,因此shadow page table就要做到:虚拟内存-> Virtual physical memory - & gt; Real physical memory, the following is the details, if at all, please ignore, the hypervisor will maintain a mapping from virtual memory to physical memory, when the guest OS to replace their own page table, that is, the value of the change of CR3, registers, the hypervisor will because of the insufficient permissions of user mode received a general exception, the hypervisor will record the user wants to change the new page table, and put an empty shadow page table, and then return to the empty shadow page in the table can be carried in the CPU to address translation and page fault, the fault happens, the hypervisor will get a virtual address, and then according to the records before the user's page table structure, address translation from a virtual machine, and then put the virtual address to the machine, maintained by the hypervisor address mapping of the translation for the actual machine, and then into the shadow page table, and return to carry out, so, just realized: virtual memory - & gt; Virtual physical memory - & gt; Real physical memory, I/O virtualization: background: the memory mapped I/O device, most of the PCI devices are directly to own some control register mapped to physical memory space, CPU way to access these control register and access the same memory, CPU and read the register to operate through the modification of the I/O devices, virtualization method is very simple, not when the hypervisor received a page fault, and found that, in fact, virtual physical memory address of the corresponding is an I/O device, the hypervisor is software was used to simulate the work situation of equipment, and returns, such as when the CPU wants to write a disk, the hypervisor is the corresponding write something to a host OS file, the file is actually to simulate the virtual disk,
(a description of the virtual machine in a paper on the basis of modified),
Ok, due to space constraints, this chapter is over, here in the next chapter we will speak the SVM is how to use the virtual machine to complete antivirus engine,
CodePudding user response:
The SVM kernel, which is a software or hardware?CodePudding user response: