From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1FyWob-00054T-8W
	for qemu-devel@nongnu.org; Thu, 06 Jul 2006 12:34:57 -0400
Received: from [199.232.76.173] (helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1FyWoa-000545-V2
	for qemu-devel@nongnu.org; Thu, 06 Jul 2006 12:34:56 -0400
Received: from [83.206.143.148] (helo=taranis.aql.fr)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1FyWoo-0006ZV-Ii
	for qemu-devel@nongnu.org; Thu, 06 Jul 2006 12:35:10 -0400
Received: from toutatis.aql.fr (toutatis.aql.fr [192.168.99.16])
	by taranis.aql.fr (8.12.8/8.12.8) with ESMTP id k66GYqHb017111
	for <qemu-devel@nongnu.org>; Thu, 6 Jul 2006 18:34:52 +0200
Received: from aql.fr (aql-gw.aql.fr [192.168.99.1])
	by toutatis.aql.fr (8.13.1/8.13.1) with ESMTP id k66GYqJ8020335
	for <qemu-devel@nongnu.org>; Thu, 6 Jul 2006 18:34:52 +0200
Message-ID: <44AD3B86.20907@aql.fr>
Date: Thu, 06 Jul 2006 18:34:14 +0200
From: sebastien Josse <sebastien.josse@aql.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: quoted-printable
Subject: [Qemu-devel] trigger a fault in host OS
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Hello,

I=92m trying to inject code in WinXP host operating system, starting from=
=20
intermediate code.

My objective is to trigger a page fault handler from the guest operating=20
system, in such a way I can read memory with cpu_memory_rw_debug without=20
error.

The idea is :

   1. read memory in some location.
   2. if cpu_memory_rw_debug return code !=3D0
         1. forge a page fault intermediate code buffer
         2. transform the intermediate code in host code with dyngen_code=
()
         3. execute the host code buffer
   3. attempt to read memory another time

I haven=92t problem while making the intermediate code buffer :

opc_buf[]

opparam_buf[]

and forge a host code buffer with dyngen_code() :

code_buf[]

The problems arise when I want it to be executed by the host operating=20
system (step 2.c).

If I use neutral instructions, like:

opc_buf[0]=3DINDEX_nop;

opc_buf[1]=3DINDEX_op_exit_tb;

opc_buf[2]=3DINDEX_op_end;

I haven=92t problem.

But if I trigger a fault, by using INDEX_op_ldsb_kernel_, etc.

Then Qemu seems to enter an infinite loop.

Do you see a solution to this problem ?

Thanks a lot.

Sebastien.