From mboxrd@z Thu Jan 1 00:00:00 1970 From: Raindog Subject: Re: debugging windows guests Date: Wed, 16 Dec 2009 14:06:34 -0800 Message-ID: <4B2959EA.2040200@macrohmasheen.com> References: <4B26D775.90809@macrohmasheen.com> <4B281E4A.1050608@web.de> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: kvm@vger.kernel.org To: Jan Kiszka Return-path: Received: from macrohmasheen.com ([206.123.88.147]:58756 "EHLO macrohmasheen.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935790AbZLPWHm (ORCPT ); Wed, 16 Dec 2009 17:07:42 -0500 In-Reply-To: <4B281E4A.1050608@web.de> Sender: kvm-owner@vger.kernel.org List-ID: On 12/15/2009 3:39 PM, Jan Kiszka wrote: > Raindog wrote: > > Hello, > > > > I am researching KVM as a malware analysis platform and had some > > questions about debugging the guest OS. In my case I intend to use > > windows guests. So my questsions are as follows: > > > > Questions: > > > > 1. What instrumentation facilities are their available? > > > > 2. Is it possible to extend the debugging interface so that debugging is > > more transparent to the guest OS? IE: there is still a limit of 4 HW > > breakpoints (which makes me wonder why a LIST is used for them...) > > In accelerated KVM mode, the x86 architecture restricts us to 4 break- > or watchpoints that can be active at the same time. If you switch to > emulation mode, there are no such limits. Actually, I just made use of > this for debugging a subtle stack corruption in a guest, and I had more > than 70 watchpoints active at the same time. It's just "slightly" slower > than KVM... > Are there any advantages over stock qemu if using kvm w/out the kernel module?