2

I would like to get the opcode of an i386 instruction that is executed in my QEMU guest. I found that cpu_memory_rw_debug(env, pc, buf, size, is_write); can access the memory. Yet, I don't know how much memory I have to read. In other words, what value to assign to size. I learned in this SO post that the

x86 instruction set (16, 32 or 64 bit, all variants/modes) is guaranteed to fit in 15 bytes

If I read 15 bytes each time, I need to somehow determine where the opcode ends, because most opcodes are less than 15 bytes.

I guess there must be a qemu function for this. There is probably a better qemu feature to do what I want without fiddling with opcodes lengths. Unfortunately, I couldn't find either of the two.

A I missing something conceptually?

All hints are appreciated.

Community
  • 1
  • 1
langlauf.io
  • 3,009
  • 2
  • 28
  • 45
  • Determining the length of an x86 instruction is hard; you have to decode prefixes until you get to the opcode, which itself is variable length (escape bytes, and can include 3 bits from the mod/rm field for one-operand insns like `not`). The operand-size prefix changes the length of the rest of an instruction with an immediate. (`add r32, imm32` vs. `add r16, imm16`: this LCP case actually stalls the decoders in Intel hardware). IDK qemu internals, but looking for a qemu function that decodes x86 instructions sounds like a much better idea than writing one yourself. – Peter Cordes Apr 01 '16 at 11:19
  • Much better question is, what do you want to do with that information. – Jester Apr 01 '16 at 11:20
  • @Jester I would like to store all executed instructions (i.e. their opcodes) into a file. In other words, I want to create an execution instruction trace of my QEMU guest. I don't want to use the QEMU monitor because I need more information than the monitor provides. This is why I use PANDA, a qemu-based tool which provides me more info and also allows to combine it with public qemu functions such at `cpu_memory_rw_debug()` – langlauf.io Apr 01 '16 at 11:26
  • @PeterCordes What do you mean by 'IDK qemu internals, ...' ? IDK? You are right that looking for a corresponding qemu function is the way to go, but I could not find any. Do you have a hint for me? – langlauf.io Apr 01 '16 at 11:29
  • 1
    you will determine instruction end only when you decode it byte by byte. capturing often redundant 15 bytes is most simple way if you have a sufficient memory for that. – kay27 Apr 02 '16 at 00:21

0 Answers0