3 Replies Latest reply on Feb 5, 2010 11:30 AM by rugina

    VProbes with Workstation 7.0

    jsimsa Lurker



      I tried to run the following example of the VProbes VMware Workstation 7.0 manual:



      ;Print the saved Linux command line for 32 bit Linux.





      (defstring command_line)

      (definteger saved_command_line)

      (vprobe VMM1Hz

      (setint saved_command_line (& 0xffffffff (getguest "saved_command_line")))

      (getgueststr command_line saved_command_line)

      (printf "Linux command line (at %#x):\n%s\n" saved_command_line command_line))


      I have gather the kernel symbols file (/proc/kallsyms) and put it in $VM_DIR/symbols.




      I have also included the following lines in $VM_DIR/Ubuntu/Ubuntu.vmx:




      vprobe.enable = "TRUE"

      vprobe.guestSyms = "$VM_DIR/symbols"




      Finally, I have added the line 'vprobe.allow = "TRUE"' to /etc/vmware/config.




      When I run the example above I get:




      vprobeLoadFile: error: guest symbols not supported

      vprobeLoadFile: 0 warnings, 1 errors

      Error: Unknown error


      When I replace "saved_command_line" with its address from the kernel symbols file, I get:




      vprobeLoadFile: error: getgueststr requires 3 args

      vprobeLoadFile: 0 warnings, 1 errors

      Error: Unknown error




      I would like to know how to solve both problems. Please let me know if you have any advice for me. Thanks!









        • 1. Re: VProbes with Workstation 7.0
          rugina Novice

          Hi Jiri,


          Thanks for pointing this out. The example is indeed broken, for a

          number of reasons.


          1) First, support for guest symbols via the vprobe.guestSyms vmx option

          has been deprecated in Workstation 7.0. If you look in the vmware.log

          file in the VM directory you'll probably see something like this:


          VProbe: option vprobe.guestSyms is deprecated

          VProbe: guest symbol file /home/jsimsa/vmware/Ubuntu/symbols not used


          VP scripts must now specify numeric addresses. Support for symbolic

          address resolution will only provided for Emmett scripts, via the

          emmett compiler. The new emmett compiler will be release on

          sourceforge within the next couple of weeks.


          2) Second, getgueststr is used incorrectly in this example. It has

          three arguments: destination string variable, number of bytes to read,

          address of the guest string. The description in the manual is correct,

          but the use in the example is incorrect.


          3) Third, it seems that, at least in Ubuntu 7.04, saved_command_line

          is the actual address of the string, not the address of a pointer

          to the string.


          The correct example that fixes all the issues above looks like this:

          (replace 0xc042b020 with the address for "saved_command_line" from

          your symbol file):


          (defstring command_line_str)

          (definteger saved_command_line 0xc042b020)

          (vprobe VMM1Hz

             (getgueststr command_line_str 255 saved_command_line)

             (printf "Linux command line (at %#x):\n%s\n"

                     saved_command_line command_line_str)



          Hope this helps. We will try to correct this example in the VProbes

          reference manual.




          • 2. Re: VProbes with Workstation 7.0
            jsimsa Lurker

            Hello Radu,


            thank you for your explanation. I guess I have a more general question then. Can I use VProbes (or any other VMware product) to check if a certain function has been executed? For example, let's say that I wrote a static library that has a function foo() and there are several binaries that use foo(). I would like to log all the calls to foo(). Is there for example a way how to check a symbol name for every function call inside of VM?







            Update: I achieved a partial success by using dynamic probes. But it would be really handy if the sample implementation of curprocname from the vprobes reference manual was not broken. Could you please let me know if you have a working one? (VMware Workstation 7.0) Thanks

            • 3. Re: VProbes with Workstation 7.0
              rugina Novice

              Hi Jiri,


              That's correct, guest dynamic probes are the way to intercept the execution of arbitrary functions in your guest. To probe each entry to a function foo, use GUEST:



              Regarding curprocname(), the script is indeed slightly incorrect, in that offatret and offatstrcpy expect integer constant arguments, not variables or arbitrary expressions. So just write the two lines in this script that refer to "setint" as:


              (setint _pidOffset (offatret 0xffffffff80096ea9))

              (setint _nameOffset (offatstrcpy 0xffffffff800537a8 0xffffffff80052aa1)))))


              where  0xffffffff80096ea9, 0xffffffff800537a8, and 0xffffffff80052aa1 are the addresses of sys_getpid, get_task_comm, and strncpy, respectively. That should be all you need to do.