vale...@aimale.com writes: > All- > > I've produced a patch for the current QEMU HEAD, for libvmi to > introspect QEMU/KVM VMs. > > Libvmi has patches for the old qeum-kvm fork, inside its source tree: > https://github.com/libvmi/libvmi/tree/master/tools/qemu-kvm-patch > > This patch adds a hmp and a qmp command, "pmemaccess". When the > commands is invoked with a string arguments (a filename), it will open > a UNIX socket and spawn a listening thread. > > The client writes binary commands to the socket, in the form of a c > structure: > > struct request { > uint8_t type; // 0 quit, 1 read, 2 write, ... rest reserved > uint64_t address; // address to read from OR write to > uint64_t length; // number of bytes to read OR write > }; > > The client receives as a response, either (length+1) bytes, if it is a > read operation, or 1 byte ifit is a write operation. > > The last bytes of a read operation response indicates success (1 > success, 0 failure). The single byte returned for a write operation > indicates same (1 success, 0 failure).
So, if you ask to read 1 MiB, and it fails, you get back 1 MiB of garbage followed by the "it failed" byte? > The socket API was written by the libvmi author and it works the with > current libvmi version. The libvmi client-side implementation is at: > > https://github.com/libvmi/libvmi/blob/master/libvmi/driver/kvm/kvm.c > > As many use kvm VM's for introspection, malware and security analysis, > it might be worth thinking about making the pmemaccess a permanent > hmp/qmp command, as opposed to having to produce a patch at each QEMU > point release. Related existing commands: memsave, pmemsave, dump-guest-memory. Can you explain why these won't do for your use case? > Also, the pmemsave commands QAPI should be changed to be usable with > 64bit VM's > > in qapi-schema.json > > from > > --- > { 'command': 'pmemsave', > 'data': {'val': 'int', 'size': 'int', 'filename': 'str'} } > --- > > to > > --- > { 'command': 'pmemsave', > 'data': {'val': 'int64', 'size': 'int64', 'filename': 'str'} } > --- In the QAPI schema, 'int' is actually an alias for 'int64'. Yes, that's confusing. > hmp-commands.hx and qmp-commands.hx should be edited accordingly. I > did not make the above pmemsave changes part of my patch. > > Let me know if you have any questions, > > Valerio
