[vbox-dev] A question about CSAM/PATM
Zhi Wang
beiyuw at gmail.com
Thu Jan 3 23:18:09 GMT 2008
Hi,
I am a graduate student and we are trying to do some research with
VirtualBox-OSE. When reading the CSAM/PATM code, I am confused by the
following CSAM behavior: When CSAM analyises the code, it will skip
any indirect CALL like the one in the following log. This is
consistent with the code (src/VBox/VMM/PATM/CSAM.cpp, line 1189). The
code will scan new code for simple direct jump and call, and also the
indirect call that only uses 32bit displacement. IMHO, when CSAM meets
a indirect call, it should stop scanning the code then call PATM to
patch it since we don't know the destination at the time of code
scanning and patching. I guess, from the comments, this is because it
won't cause any trouble for all the currently supported OS. Please let
me if I am wrong. Thanks.
The following is the log generated by VirtualBox with VBOX_LOG set to
CSAM.e.l.f+PATM.e.l.f:
CSAM Analysis: C01037D1: mov EAX,ESP
[89 E0]
csamMarkCodeAsScanned c01037d1 opsize=2
CSAM Analysis: C01037D3: call EDI
[FF D7]
csamMarkCodeAsScanned c01037d3 opsize=2
Control Flow instruction at c01037d3: call!!
CSAM Analysis: C01037D5: jmp [C0102B5C] (0FFFFF382h)
[E9 82 F3 FF FF]
csamMarkCodeAsScanned c01037d5 opsize=5
New page record for c0102000
csamCreatePageRecord c0102000 HCPhys=00102000
csamAnalyseCodeStream: code at c0102b5c depth=1
CSAM Analysis: C0102B5C: mov EBP,0FFFFE000h
[BD 00 E0 FF FF]
csamMarkCodeAsScanned c0102b5c opsize=5
CSAMMarkPage c0102b5c
CSAM Analysis: C0102B61: and EBP,ESP
[21 E5]
csamMarkCodeAsScanned c0102b61 opsize=2
Best regards,
beiyuw
More information about the vbox-dev
mailing list