Forwarding to list as I replied to only Yan =( -------- Original Message -------- Subject: Re: debugging/instrumenting windows guests + some bugs Date: Tue, 15 Dec 2009 11:55:15 -0800 From: Raindog <raindog@xxxxxxxxxxxxxxxxx> To: Yan Vugenfirer <yvugenfi@xxxxxxxxxx> On 12/15/2009 7:29 AM, Yan Vugenfirer wrote:
> -----Original Message----- > From: kvm-owner@xxxxxxxxxxxxxxx [mailto:kvm-owner@xxxxxxxxxxxxxxx] On > Behalf Of Raindog > Sent: Tuesday, December 15, 2009 2:25 AM > To: kvm@xxxxxxxxxxxxxxx > Subject: debugging windows guests > > Hello, > > I am researching KVM as a malware analysis platform and had some > questions about debugging the guest OS. In my case I intend to use > windows guests. So my questsions are as follows: > > Questions: > > 1. What instrumentation facilities are their available? [YV] http://www.linux-kvm.org/page/WindowsGuestDrivers/GuestDebugging
> > 2. Is it possible to extend the debugging interface so that debugging > is > more transparent to the guest OS? IE: there is still a limit of 4 HW > breakpoints (which makes me wonder why a LIST is used for them...) > > 3. I'm not finding any published API for interfacing with > KVM/KQEMU/QEMU > at a low level, for example, for writing custom tracers, etc. Is there > one? Or is there something similar? > > > Bugs: > > 1. I hit a bug w/ instruction logging using a RAM based temp folder. If > I ran w/ the following command line: > (Version info: QEMU PC emulator version 0.10.50 (qemu-kvm-devel-88)) > > qemu-system-x86_64 -hda debian.img -enable-nesting -d in_asm > > It would successfully log to the tmp log file, but obviously, KVM would > be disabled. > > If I use sudo, it won't log to the file, is this a known issue? > > 2. -enable-nesting on AMD hardware using a xen guest OS causes xen to > GPF somewhere in svm_cpu_up. Is nesting supposed to work w/ Xen based > guests?
Thanks for the response, however, that is not quite what I am looking for. Hooking up a kernel debugger requires handling the majority of anti-debugging tricks that malware and packers use. Something like this is more akin to what I am looking for, but applied to KVM http://www.pintool.org/tutorials/asplos08/slides/PinTutorial.pdf
-- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
