I intend to use Qemu to generate a memory trace for the execution of a x86 guest operating system.
According to tcg wiki page, Qemu uses a handful of helpers to generate load/stores to the target(guest) memory.
This list of instructions is tcg_gen_qemu_ld8s/u
, tcg_gen_qemu_ld16s/u
, tcg_gen_qemu_ld32s/u
, tcg_gen_qemu_ld64
. (We have a similar set for store instructions).
I am trapping all calls to the above functions in the target-i386/translate.c file
However, I am still missing load/stores of certain instructions like
cmp ecx, [r12+0x4]
mov r10b, [r13+0x0]
mov byte [rax+0xf0000], 0x0
mov byte [rax+rdx], 0x0
Questions :
- Can someone please point to other load/store points (direct or indirect) that I am missing ??
- Does qemu provide a single entry point function for accesses to guest memory (like
guest_read()
) which can be instrumented for tracing all loads from the guest memory ??? - Can somebody please point to a good documentation where I can understand how qemu maintains the state of the guest memory ??
Sorry friends for the misleading instructions in the previous mail.
cmp ecx, [r12+0x4]
mov r10b, [r13+0x0]
mov byte [rax+0xf0000], 0x0
mov byte [rax+rdx], 0x0
It seems all the above instructions are getting covered with the tcg_gen_ld/st
helpers.
But now I have stumbled upon another problem :
I initially thought that all the interactions with the guest memory happen through the helper instructions in the translate.c file.
However, I found that the helper functions for some instructions like cmpxcgh8b
and cmpxchg16b
are actually accessing guest memory.
So, does it mean there are more than one entry points for reading guest memory.
Can some one please explain how are the ldq and stq instructions translated to access the guest memory ??