[Qemu-devel] Access to QEMU's guest physical memory

[G Portokalidis]

Hello,
I have been in the process of porting Argos to Qemu 0.8.2.
In case you haven't heard of Argos, it's basically Qemu extended to
track network data entering the emulator to identify their illegal use
(exploits, etc).

I am using the softmmu to track all accesses to physical memory to
track which memory addresses are occupied by network data.

I am trying to figure out all the possible ways guest physical memory
is accessed at runtime. Besides the softmmu, i also identified that
DMA also access physical memory using cpu_physical_memory_rw(), in
exec.c.

Do any virtual peripherals access guest physical memory without using
the above call, or is memory altered by Qemu's dynamic translation (or
other components)?

I must be missing something, since i have noticed that when memory is
cluttered with network data  (because of using IE for example),
starting a new application reports that values used in jmp
instructions (op_jmp_T0, in op.c) come from the network, while that is
not the case.

It seems that loading a new executable to guest memory is not tracked,
and as a result a page previously used by IE is not "cleaned". Another
thought is that maybe the translation writes data to guest physical
memory, but from what i understand of Qemu translation seems to only
touch host memory.

If any of the developers could help, it would be appreciated.
I have spent many hours going through Qemu's code without result.

Thanks in advance, and I hope this is not immediately discarded as
being too long. :-P

Cheers,
George