[Qemu-devel] [RFC PATCH v2 7/7] plugins: add syscall logging plugin sample

Tue, 05 Jun 2018 03:43:47 -0700 

This is an example of plugin which instruments only specific instructions:
sysenter and sysexit. When executing them, it prints system call id
and return code to the QEMU log.

Signed-off-by: Pavel Dovgalyuk <pavel.dovga...@ispras.ru>
---
 plugins/syscall-log/Makefile      |   19 ++++++++++++++++
 plugins/syscall-log/syscall-log.c |   44 +++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)
 create mode 100644 plugins/syscall-log/Makefile
 create mode 100644 plugins/syscall-log/syscall-log.c

diff --git a/plugins/syscall-log/Makefile b/plugins/syscall-log/Makefile
new file mode 100644
index 0000000..1bbdf04
--- /dev/null
+++ b/plugins/syscall-log/Makefile
@@ -0,0 +1,19 @@
+CFLAGS += -I../include -fno-PIE -fPIC -O3
+LDFLAGS += -shared
+# TODO: Windows
+DSOSUF := .so
+
+NAME:= syscall-log
+BIN := $(NAME)$(DSOSUF)
+
+FILES := syscall-log.o
+
+%.o: %.c
+       $(CC) -c -o $@ $< $(CFLAGS)
+
+all: $(FILES)
+       $(CC) $(LDFLAGS) -o $(BIN) $(FILES)
+
+clean:
+       rm $(FILES)
+       rm $(BIN)
diff --git a/plugins/syscall-log/syscall-log.c 
b/plugins/syscall-log/syscall-log.c
new file mode 100644
index 0000000..1f5d55f
--- /dev/null
+++ b/plugins/syscall-log/syscall-log.c
@@ -0,0 +1,44 @@
+#include <stdint.h>
+#include <stdio.h>
+#include "plugins.h"
+
+bool plugin_init(const char *args)
+{
+    return true;
+}
+
+bool plugin_needs_before_insn(uint64_t pc, void *cpu)
+{
+    uint8_t code = 0;
+    if (!qemulib_read_memory(cpu, pc, &code, 1)
+        && code == 0x0f) {
+        if (qemulib_read_memory(cpu, pc + 1, &code, 1)) {
+            return false;
+        }
+        if (code == 0x34) {
+            /* sysenter */
+            return true;
+        }
+        if (code == 0x35) {
+            /* sysexit */
+            return true;
+        }
+    }
+    return false;
+}
+
+void plugin_before_insn(uint64_t pc, void *cpu)
+{
+    uint8_t code = 0;
+    uint32_t reg;
+    qemulib_read_memory(cpu, pc + 1, &code, 1);
+    /* Read EAX. There should be a header with register ids
+       or a function for reading the register by the name */
+    qemulib_read_register(cpu, (uint8_t*)&reg, 0);
+    /* log system calls */
+    if (code == 0x34) {
+        qemulib_log("sysenter %x\n", reg);
+    } else if (code == 0x35) {
+        qemulib_log("sysexit %x\n", reg);
+    }
+}

Reply via email to