Memory Tracing in QEMU
Moderators: Cat_7, Ronald P. Regensburg
Memory Tracing in QEMU
I found that within QEMU I could trace memory events with -d trace:memory_region_ops_read but it traces physical memory read events. I would like to trace virtual memory read events from the guest machine or read events before they reach the mmu. This is for malware analysis and just need to record the order of the read and write events. Do you guys know if there is a way to trace the memory events of the guest machine or the virtual memory access?
- adespoton
- Forum All-Star
- Posts: 4227
- Joined: Fri Nov 27, 2009 5:11 am
- Location: Emaculation.com
- Contact:
Re: Memory Tracing in QEMU
The easiest way would be to use gdb or macsbug in the guest, or even IdaPro if you've got it (the PPC license is thrown in as a freebie).
However, if you're attempting to instrument the analysis from outside, it'll get a bit trickier.
I'm curious about the PPC-era malware analysis though; pretty much all PPC-era malware's been given a pretty thorough static and dynamic analysis already. Are you looking at historical malware, or the intersection of modern malware in a PPC/Classic environment (javascript, etc.)?
However, if you're attempting to instrument the analysis from outside, it'll get a bit trickier.
I'm curious about the PPC-era malware analysis though; pretty much all PPC-era malware's been given a pretty thorough static and dynamic analysis already. Are you looking at historical malware, or the intersection of modern malware in a PPC/Classic environment (javascript, etc.)?