Kernel Hooks

The hypervisor can trap certain instructions in the guest kernel and execute short pieces of user-supplied code before either executing or skipping the trapped instruction.

The hooks are written in a simple programming language and run in the hypervisor environment without pausing the VM or engaging the debugger.

The virtual address is translated to a physical one based on the current pagetable, so before the guest kernel is booted you have to use a physical address (translation is disabled).

Not all instructions can be hooked. The set of legal instructions includes all branches, most typical function prologue instructions, and simple register MOVs.

Hooks run without locking on multiple cores. This is a major difference from using GDB breakpoint scripts, and (apart from the better performance) allows investigating race issues in the guest.