Single stepping for Linux guests
26 views
Skip to first unread message
Christian Strack
May 3, 2012, 11:30:12 AM5/3/12
to ether-devel
Hi at all. I'm currently trying to extent Ether such that Linux HVM
guests are supported and am encountering a strange behavior during
instruction tracing. In contrast to Windows, kernel instructions under
Linux 32 begin at 0xC0000000, but while tracing the instructions of
e.g. top the EIP stored in VMCS (__vmread(GUEST_RIP)) is always
higher. Has anybody any clue how i could get the correct userland EIP
or why the VMCS EIP is always higher?
guests are supported and am encountering a strange behavior during
instruction tracing. In contrast to Windows, kernel instructions under
Linux 32 begin at 0xC0000000, but while tracing the instructions of
e.g. top the EIP stored in VMCS (__vmread(GUEST_RIP)) is always
higher. Has anybody any clue how i could get the correct userland EIP
or why the VMCS EIP is always higher?
Artem Dinaburg
May 8, 2012, 6:01:33 PM5/8/12
to ether...@googlegroups.com
There are a few places (maybe just one?) where the EIP is compared against 0x80000000. I am assuming you patched that to be 0xC0000000? Do you have the process name recognition code also ported? Ether will turn on the single-stepping per process based on CR3 value which it normally gets via a process name match.
Technically, Ether should be able to work with Linux guests; during early development the original Ether guests were actually Linux VMs.
Artem
Christian Strack
May 8, 2012, 6:09:14 PM5/8/12
to ether-devel
First of all, thank you very much for your reply. Yes, the process
name recognition is patched and the EIP comparison also. Switching to
single-stepping mode works. What remains as a problem is the fact
that, according to EIP, only kernel instructions are traced. I don't
know whether this is a Linux related problem or not. Do you have any
idea what could cause this constraint?
Christian
name recognition is patched and the EIP comparison also. Switching to
single-stepping mode works. What remains as a problem is the fact
that, according to EIP, only kernel instructions are traced. I don't
know whether this is a Linux related problem or not. Do you have any
idea what could cause this constraint?
Christian
Artem Dinaburg
May 8, 2012, 6:20:45 PM5/8/12
to ether...@googlegroups.com
Can you try on a test applications with a known pattern of instructions to see if the EIP reading is incorrect or if the instructions are actually wrong?
Christian Strack
May 9, 2012, 9:41:47 AM5/9/12
to ether-devel
I have tested a simple "Hello World" C program with only 14
instructions. Ether never stopped returning instructions and it is
unclear if there are correct instructions between the kernel ones.
Another problem is that even this small program won't terminate with
single-stepping enabled...
instructions. Ether never stopped returning instructions and it is
unclear if there are correct instructions between the kernel ones.
Another problem is that even this small program won't terminate with
single-stepping enabled...
Reply all
Reply to author
Forward
0 new messages