[Lguest] probing the guest os kernel code ?

[Masami Hiramatsu]

Rusty Russell wrote:
> On Wed, 25 Nov 2009 06:01:04 pm dylan wrote:
>> I want to collect informations about guest os,so i probing the guest os 
>> code using kprobe.
>> First, I run a guest os(linux-2.6.31) using lguest, and insmod the 
>> fellow module--the code is as follows.
>>
>> @%@%> insmod /home/lguest_kprobe_example.ko
>> [ 11.592410] Planted kprobe at c0163430
>>
>> Results is right above,but when I run command "dmeg" to view the print 
>> information,the results are fellows:
>>
>> @%@%> dmesg
>> [ 85.056197] pre_handler1: p->addr = 0xc0163430, ip = c0163431, flags = 
>> 0x286
>> [ 85.056249] pre_handler2: p->symbol_name=do_fork, p->opcode=85
>> lguest: Bad address 0xc3a37c34
> 
> I'm not surprised.  We don't let the guest set debug registers or such.  No
> doubt the breakpoint instruction jumps to hyperspace.
> 
> I've cc'd some kprobes people, in case they want to add debug register
> support to lguest :)

Hi,

I saw the test code;
http://lists.ozlabs.org/pipermail/lguest/2009-November/001594.html

Hmm, it seems like to fail single stepping out of line.
- Does lguest support execution code on data buffer which is
  allocated via module_alloc?
- Does lguest support single-stepping (trap flag on eflags)?

To ensure that (failing on single stepping), please add below
line to the test code.

static int __init kprobe_init(void)
{
	int ret;
	kp.pre_handler = handler_pre;
	kp.post_handler = handler_post;
	kp.fault_handler = handler_fault;

	ret = register_kprobe(&kp);
	if (ret < 0) {
		printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
		return ret;
	}
	printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
+ 	printk(KERN_INFO "kprobe's ssol buffer: %p", kp.ainsn.insn);
	return 0;
}

If the ssol buffer address is same as bad address, lguest
might not support code execution on the buffer.

Thank you,

-- 
Masami Hiramatsu

Software Engineer
Hitachi Computer Products (America), Inc.
Software Solutions Division

e-mail: mhiramat at redhat.com