[vbox-dev] A question about CSAM/PATM

Zhi Wang beiyuw at gmail.com
Thu Jan 3 15:18:09 PST 2008

I am a graduate student and we are trying to do some research with
VirtualBox-OSE. When reading the CSAM/PATM code, I am confused by the
following CSAM behavior: When CSAM analyises the code, it will skip
any indirect CALL like the one in the following log. This is
consistent with the code (src/VBox/VMM/PATM/CSAM.cpp, line 1189). The
code will scan new code for simple direct jump and call, and also the
indirect call that only uses 32bit displacement. IMHO, when CSAM meets
a indirect call, it should stop scanning the code then call PATM to
patch it since we don't know the destination at the time of code
scanning and patching. I guess, from the comments, this is because it
won't cause any trouble for all the currently supported OS. Please let
me if I am wrong. Thanks.

The following is the log generated by VirtualBox with VBOX_LOG set to
       CSAM Analysis: C01037D1:            mov EAX,ESP
           [89 E0]
       csamMarkCodeAsScanned c01037d1 opsize=2

       CSAM Analysis: C01037D3:            call EDI
                  [FF D7]
       csamMarkCodeAsScanned c01037d3 opsize=2
       Control Flow instruction at c01037d3: call!!

       CSAM Analysis: C01037D5:            jmp [C0102B5C] (0FFFFF382h)
   [E9 82 F3 FF FF]
       csamMarkCodeAsScanned c01037d5 opsize=5

        New page record for c0102000
        csamCreatePageRecord c0102000 HCPhys=00102000

        csamAnalyseCodeStream: code at c0102b5c depth=1
        CSAM Analysis: C0102B5C:           mov EBP,0FFFFE000h
       [BD 00 E0 FF FF]
        csamMarkCodeAsScanned c0102b5c opsize=5
        CSAMMarkPage c0102b5c

        CSAM Analysis: C0102B61:            and EBP,ESP
              [21 E5]
        csamMarkCodeAsScanned c0102b61 opsize=2

Best regards,

More information about the vbox-dev mailing list