[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] Memory Access Hooking Howto
|
From: |
address@hidden |
|
Subject: |
[Qemu-devel] Memory Access Hooking Howto |
|
Date: |
Mon, 04 Apr 2011 00:12:35 +0200 |
|
User-agent: |
Thunderbird 2.0.0.24 (X11/20101027) |
Hi,
since some people independently asked me if I got memory access tracing
working, here is how one can do it for the archive:
I did this on a 64bit Host with a 32bit x86 Guest
Patch tcg/tcg-op.h:
tcg_gen_qemu_ld* functions are responsible to read from memory
tcg_gen_qemu_st* functions are responsible to write to memory
Arguments:
Memory access functions have the arguments (ret/arg, addr, mem_index) ,
you can ignore mem_index in this use case and use ret/arg as the value
to be read/written and addr as the address which will be accessed.
Patch target-i386/translate.c
Write your own memtrace_read/memtrace_write function in
target-i386/translate.c and use gen_helper there to translate your hook.
Call these functions from tcg/tcg-op.h
Example:
in tcg/tcg-op.h:
static inline void
tcg_gen_qemu_st8(TCGv arg, TCGv addr, int mem_index)
{
#if TARGET_LONG_BITS == 32
tcg_gen_op3i_i32(INDEX_op_qemu_st8, arg, addr, mem_index);
#else
tcg_gen_op4i_i32(INDEX_op_qemu_st8, TCGV_LOW(arg), TCGV_LOW(addr),
TCGV_HIGH(addr), mem_index);
#endif
flx_memtrace_write(arg, addr, 8); // Custom function where the hook
will be translated
}
in target-i386/translate.c:
void flx_memtrace_write(TCGv arg, TCGv addr, uint8_t size){
gen_helper_flx_memtrace_write(arg, addr, tcg_const_i32(size));
}
in target-i386/helper.h:
DEF_HELPER_3(flx_memtrace_write, void, i64, i64, i32)
in target-i386/op_helper.c:
void helper_flx_memtrace_write(uint64_t value, uint64_t address,
uint32_t size){
// so sth. with the write event...
}
I hope this will help everyone which wants to do that in the future.
Regards,
Felix
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] Memory Access Hooking Howto,
address@hidden <=