On Wed, 2009-12-16 at 00:39 +0100, Jan Kiszka wrote: > Raindog wrote: > > Hello, > > > > I am researching KVM as a malware analysis platform and had some > > questions about debugging the guest OS. In my case I intend to use > > windows guests. So my questsions are as follows: > > > > Questions: > > > > 1. What instrumentation facilities are their available? > > > > 2. Is it possible to extend the debugging interface so that debugging is > > more transparent to the guest OS? IE: there is still a limit of 4 HW > > breakpoints (which makes me wonder why a LIST is used for them...) > > In accelerated KVM mode, the x86 architecture restricts us to 4 break- > or watchpoints that can be active at the same time. If you switch to > emulation mode, there are no such limits. Actually, I just made use of > this for debugging a subtle stack corruption in a guest, and I had more > than 70 watchpoints active at the same time. It's just "slightly" slower > than KVM... > > > > > 3. I'm not finding any published API for interfacing with KVM/KQEMU/QEMU > > at a low level, for example, for writing custom tracers, etc. Is there > > one? Or is there something similar? > > KVM provides tracepoints for the Linux ftrace framework, see related > documentation of the kernel. If you extend your guest to issue certain > events that the hypervisor sees and traces (e.g. writes to pseudo I/O > ports), you can also trace things inside the guest that are otherwise > invisible to the host. You can WRITE_PORT_BUFFER_UCHAR to com1/com2 port when you are in kernel mode. > I once hacked up an ad-hoc tracing by means of > hypercalls (required some kvm patching). That also worked from guest > userspace - and revealed that even more hypercalls could be called that > way (that's fixed in KVM now). > > > > > > > Bugs: > > > > 1. I hit a bug w/ instruction logging using a RAM based temp folder. If > > I ran w/ the following command line: > > (Version info: QEMU PC emulator version 0.10.50 (qemu-kvm-devel-88)) > > > > qemu-system-x86_64 -hda debian.img -enable-nesting -d in_asm > > -d only works in emulation mode as it relies on dynamic code translation > (TCG). For qemu-kvm, you need to switch to emulation via -no-kvm (for > upstream QEMU, it's the other way around). > > > > > It would successfully log to the tmp log file, but obviously, KVM would > > be disabled. > > > > If I use sudo, it won't log to the file, is this a known issue? > > > > 2. -enable-nesting on AMD hardware using a xen guest OS causes xen to > > GPF somewhere in svm_cpu_up. Is nesting supposed to work w/ Xen based > > guests? > > If your host kernel or kvm-kmod is not 2.6.32 based, update first. A lot > of nested SVM fixes went in recently. If it still fails, put Alex (Graf) > and Joerg (Roedel) on CC. > > Jan > -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
