Re: [Qemu-devel] hooking interrupt

[Mulyadi Santosa]

Hi....

On Thu, May 15, 2008 at 1:54 AM, Antonio Ricci <address@hidden> wrote:
> Hi all,
> I'm new on this list.
Same here :)

> I need to to intercept system calls running in the virtual machine from the
> host system. To do it I think that it could be useful to check when  the
> interrupt 0x80 is called and evaluate the value of the registers.

if it's Linux, yes. But remember, now it could be SYSENTER (Intel) or
SYSCALL (AMD) ops too.

And for your inputs too (sorry if you already know it), in Linux
syscall is now done initially by jumping into vsyscall page. So to get
complete trace, I think you should catch a jump (not sure, maybe long
jump) to a predefined virtual address.

> In the case of Argos I want to do this operations modifying the file
> target-i386/translate.c in order to check the registers value.

I guess so....it's the big switch table that checks the ops then call
the related micro ops which was produced by dyngen (now replaced by
TCG).

Beware that it will really slows down Qemu due to the very frequent
check of conditions (interrupt number..that's EAX, right?)


> Someone suggested me to read the document explaining how to port qemu to new
> CPU, but I can't understand how to do hooking.

IMO, hooking is nothing more than modifying related code, either
placing static hook or putting a call toward function pointer.
However, I prefer static patching...since I think it will produce
faster execution since you do direct function call, not indirect one
that happens when you do call using pointer.

CMIIW too, people...

regards,

Mulyadi.