Memory Tracing in QEMU

About Qemu-system-ppc, a PPC Mac emulator for Windows, macOS and Linux that can run Mac OS 9.0 up to Mac OS X 10.5

Moderators: Cat_7, Ronald P. Regensburg

Post Reply
rhera
Space Cadet
Posts: 1
Joined: Fri Mar 01, 2019 4:25 am

Memory Tracing in QEMU

Post by rhera »

I found that within QEMU I could trace memory events with -d trace:memory_region_ops_read but it traces physical memory read events. I would like to trace virtual memory read events from the guest machine or read events before they reach the mmu. This is for malware analysis and just need to record the order of the read and write events. Do you guys know if there is a way to trace the memory events of the guest machine or the virtual memory access?
User avatar
adespoton
Forum All-Star
Posts: 4227
Joined: Fri Nov 27, 2009 5:11 am
Location: Emaculation.com
Contact:

Re: Memory Tracing in QEMU

Post by adespoton »

The easiest way would be to use gdb or macsbug in the guest, or even IdaPro if you've got it (the PPC license is thrown in as a freebie).

However, if you're attempting to instrument the analysis from outside, it'll get a bit trickier.

I'm curious about the PPC-era malware analysis though; pretty much all PPC-era malware's been given a pretty thorough static and dynamic analysis already. Are you looking at historical malware, or the intersection of modern malware in a PPC/Classic environment (javascript, etc.)?
Post Reply