All Posts

Is it possible to define a data probe for a range of addresses. In other words, GUEST_READ triggers a data probe when a particular address is read. Is it possible to define a data probe for a range of address where an event will be generated whenever a range is read or written to.

Good Day, I would like to gather statistics on memory accesses for processes under a vm, things like number of memory read, writes, time of occurence for specific processes in a VM. Does vprobe have events and mechanisms allowing me to gather this information? I am interested on gathering this data for both linux and windows. Thank you.

I noticed junk returned by curprocname() defined in linux26-32-process.emt (included in vprobe-toolkit) Following patch fixes it: $ diff -u /tmp/linux26-32-process.emt vp/linux26-32-process.emt --- /tmp/linux26-32-process.emt 2009-04-04 00:03:42.182700000 +0530 +++ vp/linux26-32-process.emt 2009-04-03 23:58:58.436700000 +0530 @@ -45,7 +45,7 @@ _pidOffset = offatret("sys_getpid"); _nameOffset = offatstrcpy("get_task_comm"); } - return RSP & 0xffffe000; + return RSP & 0xfffff000; } This is because all recent Linux kernels have 4K per-process kernel stack. $ cat /boot/config-2.6.27.19-170.2.35.fc10.i686 | grep 4KSTACKS CONFIG_4KSTACKS=y BTW, where can I find documentation for 'offatret()' and 'offatstrcpy()' used in curthrptr() ? Thanks, Nitin

1. Install WinDbg inside the guest. You will need to generate symbol files from the guest since this is the Windows version you will be hooking vprobes to. 2. Create a local or remote symbol server per Debugging Applications for Microsoft .NET and Microsoft Windows Part I, Chapter 2 and run the following command from the WinDbg folder: cscript ossyms2.0.js \\symbols\path This will take some time to complete and you should end up with a couple gigs of modules and their PDBs. 3. Run WinDbg in local kernel debugging mode on the guest and issue the following command, replacing &lt;modulename&gt; with an actual module name: x <modulename>!* 4. Save the output from WinDbg: Edit &gt; Write Window Text to File 5. Place the saved file in the guest datastore directory. 6. Stop the guest. 7. Edit the VMX file to include vprobe.enable = "TRUE" vprobe.guestSyms = "symbolFile.TXT" 8. Start the guest. 9. Issue the vprobeListProbes command to view your imported events. The attached probes.txt file contains all my events with the NT module imported. nt.txt is the file I am importing with vprobe.guestSyms. I am not sure if this will be a problem but the event names look like: GUEST:t!MiShutdownSystem* instead of GUEST:nt!MiShutdownSystem* Any insight on this? UPDATE FROM VMWARE: This looks like an issue with our internal parsing logic for windbg-style symbol text files. Try adding a "0`" (w/o the double quotes) to each of the lines and you should see the full, intact probe names. I will check this out and post my results...

I have been browsing through vix.dll 1.6.2 and I have noticed a couple of interesting functions: VixVM_GetVProbes VixVM_GetVProbesVersion VixVM_VProbeGetGlobalVars VixVM_VProbeLoad VixVM_VProbeReset etc... Would it be possible to get their signatures?