0

for an University project I have to extend a QEMU version which has been modified for fuzzing. I want to print more debug messages. This QEMU version replace the Linux kernel function calls to kasan_report and panic with a hypercall so QEMU can handle the event.

The function which gets executed when the hypercall occurs looks like the following.

static void handle_hypercall_panic(struct kvm_run *run, CPUState*cpu){
    /*
    */ 
}

Now I want to readout the memory in QEMU, currently I am able to access all registers from the CPUState struct and have all arguments to the function including the pointer to the memory region where the format string lies. Now how can I access the memory region from the QEMU sourcecode and dump the format string?

I know there are docs and I will read them if no one answer me, but to save some time its good to ask before.

Benedict Schlüter
  • 329
  • 4
  • 16

1 Answers1

1

Use cpu_memory_rw_debug to read guest memory, for example so:

  uint8_t str[10];
  if( cpu_memory_rw_debug( cpu, virtualAddressOfString, (uint8_t *)str, sizeof( str ), 0 ) )
  {
    printf( "Failed to read str!\n" );
  }

This function fails if the page, where the string resides is not present in memory, for example is in the page file. The easiest way to handle this, is to access the string in your guest hypercall code to force it to be loaded into memory. If the string resides in one page, it is enough to access only the first symbol. In case of multiple pages you should access at least one symbol in each page.

nevilad
  • 932
  • 1
  • 7
  • 14