I have a project where I would like to inspect a QEMU Guest. I came across KVMonitor and really like some of the concepts.
I'd like to use shared memory/file backed memory to read guest memory immediately using CR3 for Guest->Host memory address translation.
Has anyone has experience doing this? I first changed qemu_try_memalign() and realized that its for local memory allocations, usually. I proceeded to change other functions, and came across qemu_anon_ram_alloc() which seemed to be where the larger (gigabyte) allocations were heading. I enabled prealloc and finally began getting the allocations I wanted...
I'm curious if anyone has any other suggestions than to use shm_open() here. I wanted to quickly hack this together and realized I cannot list shared memory regions on OSX, so I dumped them to files. My question is: I realize there is file-back for 'Large TLB,' although I didn't much success converting that function for non-TLB based file systems. I considered doing mkramfs (with modified kernel for larger amounts, such as larger shared memory is necessary), and putting the file system on top. I really haven't decided if I wanted to add another 'type' of backend, or to quickly modify one of these.
Am i missing some feature that may allow me to handle this quickly? I even considered using LD_PRELOAD to quickly hijack and enable all memory under shared memory for reading guest VM memory from another process. I just have to ensure I have the CR3 context at all times of the particular process I'd like to read.
Thanks,
Mike