[Question] Why we need to set mem event when monitoring syscall

[dongphuong2410]

Hello,
I'm reading sourcecode of guestrace to understand how we can monitoring the syscalls, but there is one thing I couldn't figure out : when we set the trap for a syscall, why we need to set both the mem_event and the interrupt to the shadow page (like in the picture, source code is extracted from guestrace/src/trace-syscalls.c). In another way, is line 1173 necessary ? As far as I understand, just writing the interrupt (line 1194) is enough , is it right ?

I was considering posting this question to the libvmi google group, but the source code is here so maybe posting here is better :-?. I'm looking forward the the answer ..

Thank you.

[tklengyel]

To detect if the written breakpoint instruction is being read by the guest itself so that it can be hidden from it or if it is being overwritten.