From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1GNYVq-0006Ae-HZ for qemu-devel@nongnu.org; Wed, 13 Sep 2006 13:27:02 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1GNYVo-00069c-Hm for qemu-devel@nongnu.org; Wed, 13 Sep 2006 13:27:02 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1GNYVo-00069U-BR for qemu-devel@nongnu.org; Wed, 13 Sep 2006 13:27:00 -0400 Received: from [195.3.96.89] (helo=email.aon.at) by monty-python.gnu.org with esmtp (Exim 4.52) id 1GNYXZ-0006MV-BD for qemu-devel@nongnu.org; Wed, 13 Sep 2006 13:28:49 -0400 Received: from m630p016.adsl.highway.telekom.at (HELO [192.168.1.10]) ([62.47.238.176]) (envelope-sender ) by smarthub77.highway.telekom.at (qmail-ldap-1.03) with SMTP for ; 13 Sep 2006 17:26:57 -0000 Subject: Re: [Qemu-devel] Access to QEMU's guest physical memory From: maestro In-Reply-To: References: Content-Type: text/plain Date: Wed, 13 Sep 2006 19:26:56 +0200 Message-Id: <1158168416.5228.6.camel@localhost.localdomain> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Am Mittwoch, den 13.09.2006, 12:05 +0200 schrieb G Portokalidis: > Hello, > I have been in the process of porting Argos to Qemu 0.8.2. > In case you haven't heard of Argos, it's basically Qemu extended to > track network data entering the emulator to identify their illegal use > (exploits, etc). > > I am using the softmmu to track all accesses to physical memory to > track which memory addresses are occupied by network data. > > I am trying to figure out all the possible ways guest physical memory > is accessed at runtime. Besides the softmmu, i also identified that > DMA also access physical memory using cpu_physical_memory_rw(), in > exec.c. > > Do any virtual peripherals access guest physical memory without using > the above call, or is memory altered by Qemu's dynamic translation (or > other components)? > > I must be missing something, since i have noticed that when memory is > cluttered with network data (because of using IE for example), > starting a new application reports that values used in jmp > instructions (op_jmp_T0, in op.c) come from the network, while that is > not the case. > > It seems that loading a new executable to guest memory is not tracked, > and as a result a page previously used by IE is not "cleaned". Another > thought is that maybe the translation writes data to guest physical > memory, but from what i understand of Qemu translation seems to only > touch host memory. > > If any of the developers could help, it would be appreciated. > I have spent many hours going through Qemu's code without result. > > Thanks in advance, and I hope this is not immediately discarded as > being too long. :-P > > Cheers, > George > Hello George, I've read the ARGOS paper - good paper! I'm not familiar with the argos source code but I've encountered the situation that windows clears pages with 8byte (64-bit) wide st operations consisting of all 0s. (even on 32bit win2k), and it gave me a lot of the same stuff you're describing above when I thought that 32bit windows only does 32bit memwrites. (I instrumented the ld/st macros in softmmu_{header,template}.h for that purpose) if you find anything else please let me know since I'm very interested in that. cheers m.