* Fwd: Re: debugging/instrumenting windows guests + some bugs
@ 2009-12-15 22:17 Raindog
0 siblings, 0 replies; only message in thread
From: Raindog @ 2009-12-15 22:17 UTC (permalink / raw)
To: kvm
Forwarding to list as I replied to only Yan =(
-------- Original Message --------
Subject: Re: debugging/instrumenting windows guests + some bugs
Date: Tue, 15 Dec 2009 11:55:15 -0800
From: Raindog <raindog@macrohmasheen.com>
To: Yan Vugenfirer <yvugenfi@redhat.com>
On 12/15/2009 7:29 AM, Yan Vugenfirer wrote:
>
> > -----Original Message-----
> > From: kvm-owner@vger.kernel.org [mailto:kvm-owner@vger.kernel.org] On
> > Behalf Of Raindog
> > Sent: Tuesday, December 15, 2009 2:25 AM
> > To: kvm@vger.kernel.org
> > Subject: debugging windows guests
> >
> > Hello,
> >
> > I am researching KVM as a malware analysis platform and had some
> > questions about debugging the guest OS. In my case I intend to use
> > windows guests. So my questsions are as follows:
> >
> > Questions:
> >
> > 1. What instrumentation facilities are their available?
>
> [YV] http://www.linux-kvm.org/page/WindowsGuestDrivers/GuestDebugging
>
> >
> > 2. Is it possible to extend the debugging interface so that debugging
> > is
> > more transparent to the guest OS? IE: there is still a limit of 4 HW
> > breakpoints (which makes me wonder why a LIST is used for them...)
> >
> > 3. I'm not finding any published API for interfacing with
> > KVM/KQEMU/QEMU
> > at a low level, for example, for writing custom tracers, etc. Is there
> > one? Or is there something similar?
> >
> >
> > Bugs:
> >
> > 1. I hit a bug w/ instruction logging using a RAM based temp folder. If
> > I ran w/ the following command line:
> > (Version info: QEMU PC emulator version 0.10.50 (qemu-kvm-devel-88))
> >
> > qemu-system-x86_64 -hda debian.img -enable-nesting -d in_asm
> >
> > It would successfully log to the tmp log file, but obviously, KVM would
> > be disabled.
> >
> > If I use sudo, it won't log to the file, is this a known issue?
> >
> > 2. -enable-nesting on AMD hardware using a xen guest OS causes xen to
> > GPF somewhere in svm_cpu_up. Is nesting supposed to work w/ Xen based
> > guests?
>
>
Thanks for the response, however, that is not quite what I am looking
for. Hooking up a kernel debugger requires handling the majority of
anti-debugging tricks that malware and packers use.
Something like this is more akin to what I am looking for, but applied
to KVM
http://www.pintool.org/tutorials/asplos08/slides/PinTutorial.pdf
>
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2009-12-15 22:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-15 22:17 Fwd: Re: debugging/instrumenting windows guests + some bugs Raindog
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.