From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LS5XP-0001f3-6v
	for qemu-devel@nongnu.org; Wed, 28 Jan 2009 03:12:43 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LS5XN-0001eG-IE
	for qemu-devel@nongnu.org; Wed, 28 Jan 2009 03:12:42 -0500
Received: from [199.232.76.173] (port=56276 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LS5XN-0001e8-88
	for qemu-devel@nongnu.org; Wed, 28 Jan 2009 03:12:41 -0500
Received: from www.seclab.tuwien.ac.at ([128.130.60.29]:33745
	helo=mail.seclab.tuwien.ac.at) by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <ck@iseclab.org>) id 1LS5XM-0004vl-KG
	for qemu-devel@nongnu.org; Wed, 28 Jan 2009 03:12:40 -0500
From: Clemens Kolbitsch <ck@iseclab.org>
Subject: Re: [Qemu-devel] How to hook syscall in guest OS?
Date: Wed, 28 Jan 2009 09:10:56 +0100
References: <20090127233504.6299gmx1@mx040.gmx.net>
In-Reply-To: <20090127233504.6299gmx1@mx040.gmx.net>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200901280910.56264.ck@iseclab.org>
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org
Cc: ricciantonio@gmail.com


> Hi all,
>
> i want to know if is it possible to intercept syscall's entry point and
> exit point for both  Linux and Windows guest operating system in Qemu from
> the host Operating System. If is it possible how can I do it?
>
> Thanks in advance for help
>
> Best Regards

Hi Antonio,

I'm not sure if there is an easier way, but back when Qemu still had TB code 
together with dyn_gen, it was very easy to insert a function call (i.e. a 
hook) into the code of the "int" and "sysenter" code blocks.

Using this hook, you can use the registers, etc. to see if it was a system 
call. I'm not sure how it works with the current intermediay code generation, 
but maybe this hint can guide you into a direction that might work ;-)

Cheers,
Clemens