VMware {code} Community
jsimsa
Contributor
Contributor
‎11-23-2009 09:48 AM

VProbes with Workstation 7.0

Hello,

I tried to run the following example of the VProbes VMware Workstation 7.0 manual:

;Print the saved Linux command line for 32 bit Linux.

(defstring command_line)

(definteger saved_command_line)

(vprobe VMM1Hz

(setint saved_command_line (& 0xffffffff (getguest "saved_command_line")))

(getgueststr command_line saved_command_line)

(printf "Linux command line (at %#x):\n%s\n" saved_command_line command_line))

I have gather the kernel symbols file (/proc/kallsyms) and put it in $VM_DIR/symbols.

I have also included the following lines in $VM_DIR/Ubuntu/Ubuntu.vmx:

vprobe.enable = "TRUE"

vprobe.guestSyms = "$VM_DIR/symbols"

Finally, I have added the line 'vprobe.allow = "TRUE"' to /etc/vmware/config.

When I run the example above I get:

vprobeLoadFile: error: guest symbols not supported

vprobeLoadFile: 0 warnings, 1 errors

Error: Unknown error

When I replace "saved_command_line" with its address from the kernel symbols file, I get:

vprobeLoadFile: error: getgueststr requires 3 args

vprobeLoadFile: 0 warnings, 1 errors

Error: Unknown error

I would like to know how to solve both problems. Please let me know if you have any advice for me. Thanks!

Best,

--Jiri

Tags (2)
0 Kudos
3 Replies
rugina
Contributor
Contributor
‎11-26-2009 08:17 PM

Hi Jiri,

Thanks for pointing this out. The example is indeed broken, for a

number of reasons.

1) First, support for guest symbols via the vprobe.guestSyms vmx option

has been deprecated in Workstation 7.0. If you look in the vmware.log

file in the VM directory you'll probably see something like this:

VProbe: option vprobe.guestSyms is deprecated

VProbe: guest symbol file /home/jsimsa/vmware/Ubuntu/symbols not used

VP scripts must now specify numeric addresses. Support for symbolic

address resolution will only provided for Emmett scripts, via the

emmett compiler. The new emmett compiler will be release on

sourceforge within the next couple of weeks.

2) Second, getgueststr is used incorrectly in this example. It has

three arguments: destination string variable, number of bytes to read,

address of the guest string. The description in the manual is correct,

but the use in the example is incorrect.

3) Third, it seems that, at least in Ubuntu 7.04, saved_command_line

is the actual address of the string, not the address of a pointer

to the string.

The correct example that fixes all the issues above looks like this:

(replace 0xc042b020 with the address for "saved_command_line" from

your symbol file):

(defstring command_line_str)

(definteger saved_command_line 0xc042b020)

(vprobe VMM1Hz

(getgueststr command_line_str 255 saved_command_line)

(printf "Linux command line (at %#x):\n%s\n"

saved_command_line command_line_str)

)

Hope this helps. We will try to correct this example in the VProbes

reference manual.

Thanks!

Radu

0 Kudos
jsimsa
Contributor
Contributor
‎02-04-2010 09:47 AM

Hello Radu,

thank you for your explanation. I guess I have a more general question then. Can I use VProbes (or any other VMware product) to check if a certain function has been executed? For example, let's say that I wrote a static library that has a function foo() and there are several binaries that use foo(). I would like to log all the calls to foo(). Is there for example a way how to check a symbol name for every function call inside of VM?

--Jiri

Update: I achieved a partial success by using dynamic probes. But it would be really handy if the sample implementation of curprocname from the vprobes reference manual was not broken. Could you please let me know if you have a working one? (VMware Workstation 7.0) Thanks

0 Kudos
rugina
Contributor
Contributor
‎02-05-2010 11:30 AM

Hi Jiri,

That's correct, guest dynamic probes are the way to intercept the execution of arbitrary functions in your guest. To probe each entry to a function foo, use GUEST:

.

Regarding curprocname(), the script is indeed slightly incorrect, in that offatret and offatstrcpy expect integer constant arguments, not variables or arbitrary expressions. So just write the two lines in this script that refer to "setint" as:

(setint _pidOffset (offatret 0xffffffff80096ea9))

(setint _nameOffset (offatstrcpy 0xffffffff800537a8 0xffffffff80052aa1)))))

where 0xffffffff80096ea9, 0xffffffff800537a8, and 0xffffffff80052aa1 are the addresses of sys_getpid, get_task_comm, and strncpy, respectively. That should be all you need to do.

Radu

0 Kudos