Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3,392 changed files
with
1,096,146 additions
and
2 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| *.d | ||
| *.o | ||
| *.pyc | ||
| *-timestamp | ||
| config*.mak | ||
| src/config-host.h | ||
| src/config.log | ||
| src/i386-softmmu | ||
| src/i386-linux-user | ||
| src/libqemu*.a | ||
| src/linux-headers/asm | ||
| src/pc-bios/optionrom/*.bin | ||
| src/pc-bios/optionrom/*.img | ||
| src/pc-bios/optionrom/*.raw | ||
| src/pixman/test/a1-trap-test | ||
| src/pixman/test/alphamap | ||
| src/qapi-types.* | ||
| src/qapi-visit.* | ||
| src/qemu-bridge-helper | ||
| src/qemu-ga | ||
| src/qemu-img | ||
| src/qemu-img-cmds.h | ||
| src/qemu-io | ||
| src/qemu-nbd | ||
| src/qemu-options.def | ||
| src/qtrace/libqtrace.so | ||
| src/qtrace/pb/syscall.pb.* | ||
| src/qtrace/tests/gtest_main.a | ||
| src/qtrace/tests/*_unittest | ||
| src/qga/qapi-generated | ||
| src/qmp-commands.h | ||
| src/qmp-marshal.c | ||
| src/trace/generated-events.* | ||
| src/trace/generated-tracers.* | ||
| tools/trace/syscall_pb2.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,125 @@ | ||
| qtrace | ||
| ====== | ||
| Introduction | ||
| ============ | ||
|
|
||
| QTrace is a "zero knowledge" system call tracer, based on | ||
| [QEMU](http://www.qemu.org). Its main characteristic is that system call | ||
| arguments are dumped without the need to instruct the tracer about their | ||
| structure. | ||
|
|
||
| As an example, QTrace can be used to easily dump `win32k.sys` graphical system | ||
| calls (as well as undocumented ones) despite the intricacies in their arguments | ||
| (and the lack of official documentation). | ||
|
|
||
| Additionally, QTrace includes a dynamic taint-tracking module, used to | ||
| (dynamically) track dependencies between system calls (e.g., one of the output | ||
| arguments of system call A is eventually used as an input argument for system | ||
| call B). | ||
|
|
||
| Traced system calls are serialized to a | ||
| [Protocol Buffer](https://developers.google.com/protocol-buffers/) stream and | ||
| can then be parsed off-line. QTrace includes some basic Python post-processing | ||
| tools. | ||
|
|
||
| The whole infrastructure is mainly targeted to Windows systems, but can be | ||
| extended to support other OSes as well. | ||
|
|
||
| Status | ||
| ------ | ||
|
|
||
| QTrace is still under development, so get ready to find lots of bugs :-) | ||
|
|
||
| Usage | ||
| ===== | ||
|
|
||
| Compilation | ||
| ----------- | ||
|
|
||
| To compile QTrace just use the following commands: | ||
| ./qtrace/configure.sh | ||
| make | ||
|
|
||
| To avoid too many compile-time dependencies, the `qtrace/configure.sh` script | ||
| compiles QEMU with VNC support only (i.e., no SDL support). Thus, after | ||
| QEMU/QTrace is executed, you need a VNC client to connect to the guest. | ||
|
|
||
| Remember to also add the `qtrace` directory to your library path, as QEMU main | ||
| executable must be able to load `libqtrace.so`: | ||
|
|
||
| export LD_LIBRARY_PATH=$(pwd)/qtrace | ||
|
|
||
| QTrace verbosity level can be adjusted by changing the `LOG_LEVEL` macro | ||
| defined in `qtrace/logging.h`. | ||
|
|
||
| QEMU options | ||
| ------------ | ||
|
|
||
| QTrace adds the following command-line options to QEMU: | ||
|
|
||
| - `qtrace-trace-disabled` Start emulation with syscall tracing disabled. | ||
| - `qtrace-taint-disabled` Start emulation with taint-tracking disabled. | ||
| - `qtrace-log FILE` Log QTrace messages to `FILE`. | ||
| - `qtrace-profile PROFILE` Select which guest OS profile to use. | ||
| - `qtrace-trace FILE` Serialize syscalls to `FILE`. | ||
| - `qtrace-syscalls FILTER` Comma-separated list of syscall names to process. | ||
| - `qtrace-process NAME` Trace only guest process with name `NAME`. | ||
| - `qtrace-foreign` Enable foreign pointers tracking. | ||
|
|
||
| Additionally, QTrace provides some QEMU monitor commands that can be used to | ||
| enable/disable syscall tracing and taint-tracking at run-time. | ||
|
|
||
| Usage example | ||
| ------------- | ||
|
|
||
| The following command line starts a Windows 7 SP0 image with syscall tracing | ||
| and taint-tracking enabled since the very beginning (slow!). | ||
|
|
||
| ./i386-softmmu/qemu-system-i386 -qtrace-profile win7sp0 -snapshot -hda win7.qcow2 -qtrace-trace /tmp/win7.trace -qtrace-log /tmp/qtrace.log | ||
|
|
||
| The system call trace will be saved to local file `/tmp/win7.trace`, while log | ||
| messages are directed to `/tmp/qtrace.log`. | ||
|
|
||
| The trace file can then be processed using `tools/qtrace.py`. As an example, to | ||
| generate a HTML trace of recorded system calls, use the following syntax: | ||
|
|
||
| python tools/qtrace.py -o /tmp/win7.html -s src/qtrace/trace/win7sp0_syscalls.h | ||
|
|
||
| The `-s` argument is necessary to provide QTrace with the names of the system | ||
| calls for the target OS version. | ||
|
|
||
| Implementation | ||
| ============== | ||
|
|
||
| Modifications to QEMU source code | ||
| --------------------------------- | ||
|
|
||
| QTrace is currently based on QEMU 1.6.0 but should be quite easy to port it to | ||
| future QEMU versions. | ||
|
|
||
| Most of QTrace code is under the `qtrace/` directory. Modifications to the | ||
| original QEMU source code are enclosed within `<qtrace>...</qtrace>` tags or | ||
| `#ifdef CONFIG_QTRACE_* ... #endif` directives. | ||
|
|
||
| Modules | ||
| ------- | ||
|
|
||
| QTrace includes two modules: a system call tracer and a taint-tracking | ||
| engine. Most of the code for these modules can be found under the | ||
| `qtrace/trace` and `qtrace/taint` directories, respectively. | ||
|
|
||
| To separate module-dependent code from QTrace core functionalities, specific | ||
| preprocessor identifiers have been used: | ||
|
|
||
| - `CONFIG_QTRACE_SYSCALL`: Code specific to the system call tracer. | ||
| - `CONFIG_QTRACE_TAINT`: Code specific to the taint-tracking engine. | ||
| - `CONFIG_QTRACE_CORE`: "Core" QTrace code, not specific to any module. | ||
|
|
||
| libqtrace.so | ||
| ----------- | ||
|
|
||
| Briefly, most of QTrace code has been compiled into a a C++ shared library | ||
| (`libqtrace.so`), while trying to minimize modifications to original QEMU | ||
| source code. | ||
|
|
||
| The only components left in C are those that act as a bridge between QEMU and | ||
| `libqtrace.so`. The rationale was to keep the C bridge as thin as possible, and | ||
| to move most of the functionalities to the C++ library. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| QEMU Coding Style | ||
| ================= | ||
|
|
||
| Please use the script checkpatch.pl in the scripts directory to check | ||
| patches before submitting. | ||
|
|
||
| 1. Whitespace | ||
|
|
||
| Of course, the most important aspect in any coding style is whitespace. | ||
| Crusty old coders who have trouble spotting the glasses on their noses | ||
| can tell the difference between a tab and eight spaces from a distance | ||
| of approximately fifteen parsecs. Many a flamewar have been fought and | ||
| lost on this issue. | ||
|
|
||
| QEMU indents are four spaces. Tabs are never used, except in Makefiles | ||
| where they have been irreversibly coded into the syntax. | ||
| Spaces of course are superior to tabs because: | ||
|
|
||
| - You have just one way to specify whitespace, not two. Ambiguity breeds | ||
| mistakes. | ||
| - The confusion surrounding 'use tabs to indent, spaces to justify' is gone. | ||
| - Tab indents push your code to the right, making your screen seriously | ||
| unbalanced. | ||
| - Tabs will be rendered incorrectly on editors who are misconfigured not | ||
| to use tab stops of eight positions. | ||
| - Tabs are rendered badly in patches, causing off-by-one errors in almost | ||
| every line. | ||
| - It is the QEMU coding style. | ||
|
|
||
| Do not leave whitespace dangling off the ends of lines. | ||
|
|
||
| 2. Line width | ||
|
|
||
| Lines are 80 characters; not longer. | ||
|
|
||
| Rationale: | ||
| - Some people like to tile their 24" screens with a 6x4 matrix of 80x24 | ||
| xterms and use vi in all of them. The best way to punish them is to | ||
| let them keep doing it. | ||
| - Code and especially patches is much more readable if limited to a sane | ||
| line length. Eighty is traditional. | ||
| - It is the QEMU coding style. | ||
|
|
||
| 3. Naming | ||
|
|
||
| Variables are lower_case_with_underscores; easy to type and read. Structured | ||
| type names are in CamelCase; harder to type but standing out. Enum type | ||
| names and function type names should also be in CamelCase. Scalar type | ||
| names are lower_case_with_underscores_ending_with_a_t, like the POSIX | ||
| uint64_t and family. Note that this last convention contradicts POSIX | ||
| and is therefore likely to be changed. | ||
|
|
||
| When wrapping standard library functions, use the prefix qemu_ to alert | ||
| readers that they are seeing a wrapped version; otherwise avoid this prefix. | ||
|
|
||
| 4. Block structure | ||
|
|
||
| Every indented statement is braced; even if the block contains just one | ||
| statement. The opening brace is on the line that contains the control | ||
| flow statement that introduces the new block; the closing brace is on the | ||
| same line as the else keyword, or on a line by itself if there is no else | ||
| keyword. Example: | ||
|
|
||
| if (a == 5) { | ||
| printf("a was 5.\n"); | ||
| } else if (a == 6) { | ||
| printf("a was 6.\n"); | ||
| } else { | ||
| printf("a was something else entirely.\n"); | ||
| } | ||
|
|
||
| Note that 'else if' is considered a single statement; otherwise a long if/ | ||
| else if/else if/.../else sequence would need an indent for every else | ||
| statement. | ||
|
|
||
| An exception is the opening brace for a function; for reasons of tradition | ||
| and clarity it comes on a line by itself: | ||
|
|
||
| void a_function(void) | ||
| { | ||
| do_something(); | ||
| } | ||
|
|
||
| Rationale: a consistent (except for functions...) bracing style reduces | ||
| ambiguity and avoids needless churn when lines are added or removed. | ||
| Furthermore, it is the QEMU coding style. |
Oops, something went wrong.