From mboxrd@z Thu Jan 1 00:00:00 1970 From: Raindog Subject: Fwd: Re: debugging/instrumenting windows guests + some bugs Date: Tue, 15 Dec 2009 14:17:10 -0800 Message-ID: <4B280AE6.1040908@macrohmasheen.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit To: kvm@vger.kernel.org Return-path: Received: from macrohmasheen.com ([206.123.88.147]:40858 "EHLO macrohmasheen.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933970AbZLOWRP (ORCPT ); Tue, 15 Dec 2009 17:17:15 -0500 Received: from [10.0.1.102] (unknown [209.90.234.203]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by macrohmasheen.com (Postfix) with ESMTPSA id 92F672D80075 for ; Tue, 15 Dec 2009 14:17:11 -0800 (PST) Sender: kvm-owner@vger.kernel.org List-ID: Forwarding to list as I replied to only Yan =( -------- Original Message -------- Subject: Re: debugging/instrumenting windows guests + some bugs Date: Tue, 15 Dec 2009 11:55:15 -0800 From: Raindog To: Yan Vugenfirer On 12/15/2009 7:29 AM, Yan Vugenfirer wrote: > > > -----Original Message----- > > From: kvm-owner@vger.kernel.org [mailto:kvm-owner@vger.kernel.org] On > > Behalf Of Raindog > > Sent: Tuesday, December 15, 2009 2:25 AM > > To: kvm@vger.kernel.org > > Subject: debugging windows guests > > > > Hello, > > > > I am researching KVM as a malware analysis platform and had some > > questions about debugging the guest OS. In my case I intend to use > > windows guests. So my questsions are as follows: > > > > Questions: > > > > 1. What instrumentation facilities are their available? > > [YV] http://www.linux-kvm.org/page/WindowsGuestDrivers/GuestDebugging > > > > > 2. Is it possible to extend the debugging interface so that debugging > > is > > more transparent to the guest OS? IE: there is still a limit of 4 HW > > breakpoints (which makes me wonder why a LIST is used for them...) > > > > 3. I'm not finding any published API for interfacing with > > KVM/KQEMU/QEMU > > at a low level, for example, for writing custom tracers, etc. Is there > > one? Or is there something similar? > > > > > > Bugs: > > > > 1. I hit a bug w/ instruction logging using a RAM based temp folder. If > > I ran w/ the following command line: > > (Version info: QEMU PC emulator version 0.10.50 (qemu-kvm-devel-88)) > > > > qemu-system-x86_64 -hda debian.img -enable-nesting -d in_asm > > > > It would successfully log to the tmp log file, but obviously, KVM would > > be disabled. > > > > If I use sudo, it won't log to the file, is this a known issue? > > > > 2. -enable-nesting on AMD hardware using a xen guest OS causes xen to > > GPF somewhere in svm_cpu_up. Is nesting supposed to work w/ Xen based > > guests? > > Thanks for the response, however, that is not quite what I am looking for. Hooking up a kernel debugger requires handling the majority of anti-debugging tricks that malware and packers use. Something like this is more akin to what I am looking for, but applied to KVM http://www.pintool.org/tutorials/asplos08/slides/PinTutorial.pdf >