Thanks for pointing this out. The example is indeed broken, for a
number of reasons.
1) First, support for guest symbols via the vprobe.guestSyms vmx option
has been deprecated in Workstation 7.0. If you look in the vmware.log
file in the VM directory you'll probably see something like this:
VProbe: option vprobe.guestSyms is deprecated
VProbe: guest symbol file /home/jsimsa/vmware/Ubuntu/symbols not used
VP scripts must now specify numeric addresses. Support for symbolic
address resolution will only provided for Emmett scripts, via the
emmett compiler. The new emmett compiler will be release on
sourceforge within the next couple of weeks.
2) Second, getgueststr is used incorrectly in this example. It has
three arguments: destination string variable, number of bytes to read,
address of the guest string. The description in the manual is correct,
but the use in the example is incorrect.
3) Third, it seems that, at least in Ubuntu 7.04, saved_command_line
is the actual address of the string, not the address of a pointer
to the string.
The correct example that fixes all the issues above looks like this:
(replace 0xc042b020 with the address for "saved_command_line" from
your symbol file):
(definteger saved_command_line 0xc042b020)
(getgueststr command_line_str 255 saved_command_line)
(printf "Linux command line (at %#x):\n%s\n"
Hope this helps. We will try to correct this example in the VProbes
thank you for your explanation. I guess I have a more general question then. Can I use VProbes (or any other VMware product) to check if a certain function has been executed? For example, let's say that I wrote a static library that has a function foo() and there are several binaries that use foo(). I would like to log all the calls to foo(). Is there for example a way how to check a symbol name for every function call inside of VM?
Update: I achieved a partial success by using dynamic probes. But it would be really handy if the sample implementation of curprocname from the vprobes reference manual was not broken. Could you please let me know if you have a working one? (VMware Workstation 7.0) Thanks
That's correct, guest dynamic probes are the way to intercept the execution of arbitrary functions in your guest. To probe each entry to a function foo, use GUEST:.
Regarding curprocname(), the script is indeed slightly incorrect, in that offatret and offatstrcpy expect integer constant arguments, not variables or arbitrary expressions. So just write the two lines in this script that refer to "setint" as:
(setint _pidOffset (offatret 0xffffffff80096ea9))
(setint _nameOffset (offatstrcpy 0xffffffff800537a8 0xffffffff80052aa1)))))
where 0xffffffff80096ea9, 0xffffffff800537a8, and 0xffffffff80052aa1 are the addresses of sys_getpid, get_task_comm, and strncpy, respectively. That should be all you need to do.