[Qemu-devel] Memory Access Hooking Howto

[Qemu-devel] Memory Access Hooking Howto

[felix.matenaar@rwth-aachen]

Hi,

since some people independently asked me if I got memory access tracing
working, here is how one can do it for the archive:

I did this on a 64bit Host with a 32bit x86 Guest
Patch tcg/tcg-op.h:
tcg_gen_qemu_ld* functions are responsible to read from memory
tcg_gen_qemu_st* functions are responsible to write to memory

Arguments:
Memory access functions have the arguments (ret/arg, addr, mem_index) ,
you can ignore mem_index in this use case and use ret/arg as the value
to be read/written and addr as the address which will be accessed.

Patch target-i386/translate.c
Write your own memtrace_read/memtrace_write function in
target-i386/translate.c and use gen_helper there to translate your hook.
Call these functions from tcg/tcg-op.h

Example:

in tcg/tcg-op.h:

static inline void
tcg_gen_qemu_st8(TCGv arg, TCGv addr, int mem_index)
{
#if TARGET_LONG_BITS == 32
    tcg_gen_op3i_i32(INDEX_op_qemu_st8, arg, addr, mem_index);
#else
    tcg_gen_op4i_i32(INDEX_op_qemu_st8, TCGV_LOW(arg), TCGV_LOW(addr),
                     TCGV_HIGH(addr), mem_index);
#endif
    flx_memtrace_write(arg, addr, 8); // Custom function where the hook
will be translated
}

in target-i386/translate.c:
void flx_memtrace_write(TCGv arg, TCGv addr, uint8_t size){
     gen_helper_flx_memtrace_write(arg, addr, tcg_const_i32(size));
}

in target-i386/helper.h:
DEF_HELPER_3(flx_memtrace_write, void, i64, i64, i32)

in target-i386/op_helper.c:
void helper_flx_memtrace_write(uint64_t value, uint64_t address,
uint32_t size){
        // so sth. with the write event...
}

I hope this will help everyone which wants to do that in the future.

Regards,
    Felix