All Posts

It would be arbitrary; I am trying to characterize memory access behavior of a process or an OS ultimately. I am not too concerned with the overhead this might add to the application as I woul... See more...
It would be arbitrary; I am trying to characterize memory access behavior of a process or an OS ultimately. I am not too concerned with the overhead this might add to the application as I would only do this for profiling purposes. I want to determine location/frequency of memory accesses. Moussa.
Hi Is it possible to define a data probe for a range of addresses. In other words, GUEST_READ triggers a data probe when a particular address is read. Is it possible to define a data pro... See more...
Hi Is it possible to define a data probe for a range of addresses. In other words, GUEST_READ triggers a data probe when a particular address is read. Is it possible to define a data probe for a range of address where an event will be generated whenever a range is read or written to. Currently the GUEST_{READ, WRITE} data probes only allow the user to specify a single linear address(LA). How large of a LA range do you want probe?
Hi I was able to confirm that vprobe does indeed work in Fusion 2.0. I am only getting 42 probes for Ubuntu 8.10 virtual machine. I was expecting to see many more probes available, am I mi... See more...
Hi I was able to confirm that vprobe does indeed work in Fusion 2.0. I am only getting 42 probes for Ubuntu 8.10 virtual machine. I was expecting to see many more probes available, am I missing something? The probe listing you are seeing represents the list of static probes provided by our software stack (e..g, Guest_PF, Guest_IRQ, etc). My assumption is that you are looking for the dynamic guest probes which are only available if you provide a guest symbol file to the VM before boot. You can find the full details about loading guest symbol files in the "Getting Started with VProbes" section of the Workstation 6.5 VProbes Programming Manual (see http://www.vmware.com/pdf/ws65_vprobes_reference.pdf). For posterity's sake here are the brief set of steps to get things working for Linux guests: Create a guest symbol file by running 'cat /proc/kallsyms > <symbolFileName>' within the Linux guest. Copy this guest symbol file from the guest to the host. Add the following line to the VM configuration (.vmx) file before booting the VM: vprobe.guestSyms = "<path_to_symbolFileName>". Let us know if you hit any road blocks when trying these steps. Thanks!
Hi Looking at the vprobes programmer's reference. There is mention of enabling fusion via /Library.... I assume this means that Fusion 2.0 has full vprobes support. VProbes is not supp... See more...
Hi Looking at the vprobes programmer's reference. There is mention of enabling fusion via /Library.... I assume this means that Fusion 2.0 has full vprobes support. VProbes is not supported in the Fusion product. We (the VProbes team) are working to change the support status in future Fusion releases. Having said that, the VProbes code is in the Fusion product by virtue of being shared amongst the VMware products. Thus, from the technical perspective you should hit no major hurdles when trying to use VProbes in your Fusion 2.0 build.
I was able to confirm that vprobe does indeed work in Fusion 2.0. I am only getting 42 probes for Ubuntu 8.10 virtual machine. I was expecting to see many more probes available, am I missing some... See more...
I was able to confirm that vprobe does indeed work in Fusion 2.0. I am only getting 42 probes for Ubuntu 8.10 virtual machine. I was expecting to see many more probes available, am I missing something?
Is it possible to define a data probe for a range of addresses. In other words, GUEST_READ triggers a data probe when a particular address is read. Is it possible to define a data probe for a r... See more...
Is it possible to define a data probe for a range of addresses. In other words, GUEST_READ triggers a data probe when a particular address is read. Is it possible to define a data probe for a range of address where an event will be generated whenever a range is read or written to.
Looking at the vprobes programmer's reference. There is mention of enabling fusion via /Library.... I assume this means that Fusion 2.0 has full vprobes support.
Good Day, I would like to gather statistics on memory accesses for processes under a vm, things like number of memory read, writes, time of occurence for specific processes in a VM. Does ... See more...
Good Day, I would like to gather statistics on memory accesses for processes under a vm, things like number of memory read, writes, time of occurence for specific processes in a VM. Does vprobe have events and mechanisms allowing me to gather this information? I am interested on gathering this data for both linux and windows. Thank you.
I noticed junk returned by curprocname() defined in linux26-32-process.emt (included in vprobe-toolkit) Following patch fixes it: $ diff -u /tmp/linux26-32-process.emt vp/linux26-32-process.... See more...
I noticed junk returned by curprocname() defined in linux26-32-process.emt (included in vprobe-toolkit) Following patch fixes it: $ diff -u /tmp/linux26-32-process.emt vp/linux26-32-process.emt --- /tmp/linux26-32-process.emt 2009-04-04 00:03:42.182700000 +0530 +++ vp/linux26-32-process.emt 2009-04-03 23:58:58.436700000 +0530 @@ -45,7 +45,7 @@ _pidOffset = offatret("sys_getpid"); _nameOffset = offatstrcpy("get_task_comm"); } - return RSP & 0xffffe000; + return RSP & 0xfffff000; } This is because all recent Linux kernels have 4K per-process kernel stack. $ cat /boot/config-2.6.27.19-170.2.35.fc10.i686 | grep 4KSTACKS CONFIG_4KSTACKS=y BTW, where can I find documentation for 'offatret()' and 'offatstrcpy()' used in curthrptr() ? Thanks, Nitin
looks like this error is harmless (though I'm still not sure what it means). Sample vp script: vmrun vprobeLoad Fedora10.vmx '(vprobe VMM1Hz (printf "hworld!\n"))' keeps printing this message ... See more...
looks like this error is harmless (though I'm still not sure what it means). Sample vp script: vmrun vprobeLoad Fedora10.vmx '(vprobe VMM1Hz (printf "hworld!\n"))' keeps printing this message in vprobe.out (in VM directory) until you issue: vmrun vprobeReset Fedora10.vmx
No change here. I'm not sure what the purpose of this call is as it pertains to vprobes... Maybe it's just an exception when the memory was paged out???
Did it work? I disabled NX on my system and still getting same error. Maybe its due to some other problem??
Most excellent find.
I just got this same error when running: vmrun vprobeLoad Fedora10.vmx '(vprobe VMM1Hz (printf "hworld!\n"))' on Vista 32-bit host. vmware.log shows: Mar 20 06:11:46.117: vcpu-0| Virtual... See more...
I just got this same error when running: vmrun vprobeLoad Fedora10.vmx '(vprobe VMM1Hz (printf "hworld!\n"))' on Vista 32-bit host. vmware.log shows: Mar 20 06:11:46.117: vcpu-0| VirtualProtect Host_MemProtect(0x2580000,0x4000) returns 0x57 Mar 20 06:11:46.117: vcpu-0| VProbe: Loading VP script Mar 20 06:11:46.170: vcpu-0| VirtualProtect Host_MemProtect(0x2580000,0x4000) returns 0x57 Mar 20 06:11:46.260: vmx| SOCKET 3 (1240) recv error 10054: An existing connection was forcibly closed by the remote host I see that VirtualProtect() is used to set protection flags for a region of memory: http://msdn.microsoft.com/en-us/library/aa366898(VS.85).aspx This function is returning 0x57 which according to: http://msdn.microsoft.com/en-us/library/ms681382(VS.85).aspx means: ERROR_INVALID_PARAMETER 87 (0x57) - The parameter is incorrect. hmm...seems like vprobes is using some combination of protection flags which is not legal -- one such possibility is trying to set ReadWriteExec on hardware with NX (no-execute) feature enabled. Try disable NX feature in BIOS (Intel calls this "XD"). I will post result if I try this
1. Install WinDbg inside the guest. You will need to generate symbol files from the guest since this is the Windows version you will be hooking vprobes to. 2. Create a local or remote symbo... See more...
1. Install WinDbg inside the guest. You will need to generate symbol files from the guest since this is the Windows version you will be hooking vprobes to. 2. Create a local or remote symbol server per Debugging Applications for Microsoft .NET and Microsoft Windows Part I, Chapter 2 and run the following command from the WinDbg folder: cscript ossyms2.0.js \\symbols\path This will take some time to complete and you should end up with a couple gigs of modules and their PDBs. 3. Run WinDbg in local kernel debugging mode on the guest and issue the following command, replacing &lt;modulename&gt; with an actual module name: x <modulename>!* 4. Save the output from WinDbg: Edit &gt; Write Window Text to File 5. Place the saved file in the guest datastore directory. 6. Stop the guest. 7. Edit the VMX file to include vprobe.enable = "TRUE" vprobe.guestSyms = "symbolFile.TXT" 8. Start the guest. 9. Issue the vprobeListProbes command to view your imported events. The attached probes.txt file contains all my events with the NT module imported. nt.txt is the file I am importing with vprobe.guestSyms. I am not sure if this will be a problem but the event names look like: GUEST:t!MiShutdownSystem* instead of GUEST:nt!MiShutdownSystem* Any insight on this? UPDATE FROM VMWARE: This looks like an issue with our internal parsing logic for windbg-style symbol text files. Try adding a "0`" (w/o the double quotes) to each of the lines and you should see the full, intact probe names. I will check this out and post my results...
I'm getting a bunch of these in the log file running vprobes per my Windows implementation... Mar 04 16:25:29.339: vcpu-0| VirtualProtect Host_MemProtect(0x1a40000,0x4000) returns 0x57 Mar 04... See more...
I'm getting a bunch of these in the log file running vprobes per my Windows implementation... Mar 04 16:25:29.339: vcpu-0| VirtualProtect Host_MemProtect(0x1a40000,0x4000) returns 0x57 Mar 04 16:25:29.339: vcpu-0| VProbe: Loading VP script Mar 04 16:25:29.354: vcpu-0| VProbes VP version 0.2 Mar 04 16:25:29.354: vcpu-0| VirtualProtect Host_MemProtect(0x1a40000,0x4000) returns 0x57 Mar 04 16:25:29.370: vmx| SOCKET 24 (1312) recv error 10054: An existing connection was forcibly closed by the remote host
What is the key combination to get Vmware to revert to the non-fullscreen display of WinXP (very basic question but I did not see the answer when it flashed past)
I have been browsing through vix.dll 1.6.2 and I have noticed a couple of interesting functions: VixVM_GetVProbes VixVM_GetVProbesVersion VixVM_VProbeGetGlobalVars VixVM_VProbeLoad VixVM_V... See more...
I have been browsing through vix.dll 1.6.2 and I have noticed a couple of interesting functions: VixVM_GetVProbes VixVM_GetVProbesVersion VixVM_VProbeGetGlobalVars VixVM_VProbeLoad VixVM_VProbeReset etc... Would it be possible to get their signatures?
Sounds pretty cool. Keep us updated.
It is more of a learning exercise than anything, but the current idea is to monitor the VM for process launches. We are going to try to monitor for malware introduced through external media (thu... See more...
It is more of a learning exercise than anything, but the current idea is to monitor the VM for process launches. We are going to try to monitor for malware introduced through external media (thumb drives, cd, etc.). If it is found an action will be taken... possibly a destroy and revert to snapshot action. Might work, might not.