I intend to use Qemu to create a memory trace to run the x86 guest operating system.
According to the tcg wiki page, Qemu uses several helpers to create downloads / stores in the target (guest) memory. This list of instructions is tcg_gen_qemu_ld8s/u , tcg_gen_qemu_ld16s/u , tcg_gen_qemu_ld32s/u , tcg_gen_qemu_ld64 . (We have a similar kit for store instructions). I catch all the calls to the above functions in the target-i386 / translate.c file
However, I still do not have enough loading / storing specific instructions, for example
cmp ecx, [r12+0x4] mov r10b, [r13+0x0] mov byte [rax+0xf0000], 0x0 mov byte [rax+rdx], 0x0
Questions:
- Can someone point out other loading / storage points (direct or indirect) that I am missing?
- Does qemu provide a single entry point for accessing guest memory (e.g.
guest_read() ), which can be used to track all downloads from guest memory ??? - Can someone point out some good documentation where I can understand how qemu maintains guest memory state?
Sorry friends for the misleading instructions in the previous post.
cmp ecx, [r12+0x4] mov r10b, [r13+0x0] mov byte [rax+0xf0000], 0x0 mov byte [rax+rdx], 0x0
It seems that all of the above instructions are covered by tcg_gen_ld/st helpers.
But now I came across another problem:
Initially, I thought that all interactions with guest memory occur through auxiliary instructions in the translate.c file. However, I found that the helper functions for some instructions like cmpxcgh8b and cmpxchg16b actually access guest memory.
So, does this mean that there are several entry points for reading guest memory. Can someone explain how the ldq and stq instructions are translated to access guest memory?
prathmesh.kallurkar
source share