Is there a simple way to monitor the syscalls of processes running in a VM from the outside on the hypervisor (dom0) in a Xen setup? In general, is that an easy task or are modifications on the hypervisor code necessary to do such a VM syscall monitoring?
Is it also possible with a HVM VM or only with a PV VM?
Not sure if you already looked at these link:
http://hal.archives-ouvertes.fr/docs/00/43/10/31/PDF/Technical_Report_Syscall_Interception.pdf
http://research.microsoft.com/pubs/153179/sim-ccs09.pdf
http://pages.cs.wisc.edu/~remzi/OSTEP/vmm-intro.pdf
With very limited knowledge on subject, I am making an attempt. one can emulate instruction used to make a syscall. e.g. sysenter, sysexit. Thus for any attempt by guest to use these instructions should trap for hypervisor to intervene. Once hypervisor comes into picture, you can copy syscall number and its arguments.