VMware {code} Community
visbrero
Contributor
Contributor
‎02-17-2009 08:45 PM

existing examples/support code for probing user-level code?

I would like to use vprobes to perform some user-level probing. I'd be shocked if someone hasn't aready done the legwork required to make this happen (aka making finding the linear address easier), but I'm having trouble finding such a thing. The closest thing I have found is dwarffrob.py in vprobe-toolkit's bin dir... it's not what's required, but it's in the same city as the ballpark.

Tags (2)
0 Kudos
1 Reply
admin
Immortal
Immortal
‎02-18-2009 08:55 AM

User-level is a bit rough, but still possible.

dwarffrob.py is, tragically, a work in progress, but it's more aimed at finding structure offsets than symbol names. If you are looking for a particular user-level binary, you can harvest symbols in the guest (either via windbg.exe or /usr/bin/nm), and append the symbols in the binary to the file specified in vprobe.guestSyms.

Next, you need to make sure that you're hitting the right process. This is best achieved by setting up one of the preloads for your guest and manually checking curprocname; e.g.:

GUEST:UserLevelSym
   if (!strcmp(curprocname(), "targetBinary")) {...}

You can also test curpid() if you like, etc. Unfortunately, this is all very manual. It would be nice both to automate the symbol harvesting, and to provide nicer notation for probing particular processes. There is also some difficulty with accessing linear addresses that the guest happens to have paged out: since VProbes is nervous about perturbing the state of the guest, we don't inject page faults on such accesses. So the probe fire will simply fail, leaving a warning in your vmware.log.

Thanks,

Keith

0 Kudos