From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jan Kiszka Subject: Re: debugging windows guests Date: Wed, 16 Dec 2009 09:12:02 +0100 Message-ID: <4B289652.9050008@web.de> References: <4B26D775.90809@macrohmasheen.com> <4B281E4A.1050608@web.de> <4B285CF8.8030401@macrohmasheen.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig02CE24C285144E4B01C17C37" Cc: kvm@vger.kernel.org To: Raindog Return-path: Received: from fmmailgate01.web.de ([217.72.192.221]:51071 "EHLO fmmailgate01.web.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1761797AbZLPIML (ORCPT ); Wed, 16 Dec 2009 03:12:11 -0500 In-Reply-To: <4B285CF8.8030401@macrohmasheen.com> Sender: kvm-owner@vger.kernel.org List-ID: This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig02CE24C285144E4B01C17C37 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Raindog wrote: > On 12/15/2009 3:39 PM, Jan Kiszka wrote: >> Raindog wrote: >> > Hello, >> > >> > I am researching KVM as a malware analysis platform and had some >> > questions about debugging the guest OS. In my case I intend to use >> > windows guests. So my questsions are as follows: >> > >> > Questions: >> > >> > 1. What instrumentation facilities are their available? >> > >> > 2. Is it possible to extend the debugging interface so that >> debugging is >> > more transparent to the guest OS? IE: there is still a limit of 4 H= W >> > breakpoints (which makes me wonder why a LIST is used for them...) >> >> In accelerated KVM mode, the x86 architecture restricts us to 4 break-= >> or watchpoints that can be active at the same time. If you switch to >> emulation mode, there are no such limits. Actually, I just made use of= >> this for debugging a subtle stack corruption in a guest, and I had mor= e >> than 70 watchpoints active at the same time. It's just "slightly" slow= er >> than KVM... >> =20 >=20 > Ok, is there anything special that needs to be done to enable additiona= l > watchpoints as they are being called? How are these set btw? Is it > accomplished transparently through gdb? IE: if you set a watchpoint at = a > specific address, under emulation mode, they simulate HW bps in that no= > code is modified via the injection of an int 3? Yes, break- and watchpoints are transparent to the guest in emulation mode. In KVM mode, hardware breakpoints do not require int 3, but they are limited and the guest my notice that its own breakpoints have no effect as long as the host injected some. >=20 >> > >> > 3. I'm not finding any published API for interfacing with >> KVM/KQEMU/QEMU >> > at a low level, for example, for writing custom tracers, etc. Is th= ere >> > one? Or is there something similar? >> >> KVM provides tracepoints for the Linux ftrace framework, see related >> documentation of the kernel. >=20 > I found this http://lxr.linux.no/#linux+v2.6.27/Documentation/ftrace.tx= t > but that can hardly be accused of being called documentation. I don't > think something like this: > http://www.pintool.org/tutorials/asplos08/slides/PinTutorial.pdf is > unreasonable. 2.6.27 is too old anyway. There should be at least one LWN.net article on this, and also quite a few presentations and paper, just ask your favorite search engine. >=20 >> If you extend your guest > Windows is by design not extensible. Depends on where and how you want to hook into it. Of course, its kernel is out of reach. But if you are interested e.g. in marking specific I/O requests, you could write your own driver and hook into the stack. >=20 >> to issue certain >> events that the hypervisor sees and traces (e.g. writes to pseudo I/O >> ports), you can also trace things inside the guest that are otherwise >> invisible to the host. I once hacked up an ad-hoc tracing by means of >> hypercalls (required some kvm patching). That also worked from guest >> userspace - and revealed that even more hypercalls could be called tha= t >> way (that's fixed in KVM now). >> >> > >> > >> > Bugs: >> > >> > 1. I hit a bug w/ instruction logging using a RAM based temp >> folder. If >> > I ran w/ the following command line: >> > (Version info: QEMU PC emulator version 0.10.50 (qemu-kvm-devel-88)= ) >> > >> > qemu-system-x86_64 -hda debian.img -enable-nesting -d in_asm >> >> -d only works in emulation mode as it relies on dynamic code translati= on >> (TCG). For qemu-kvm, you need to switch to emulation via -no-kvm (for >> upstream QEMU, it's the other way around). >> =20 >=20 > Hence why running w/out admin rights enables the logging. I was confuse= d > because the logfile is still created w/ the kvm module disabled. It's created but remains empty for obvious reasons in KVM mode. Jan --------------enig02CE24C285144E4B01C17C37 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAksollUACgkQitSsb3rl5xSbtgCg1Uw4sKSykWMyVTyi991LAfd6 C5sAoNCwLpHFlMhdHFR0bAEAS1T5YYXM =1pud -----END PGP SIGNATURE----- --------------enig02CE24C285144E4B01C17C37--