[vbox-dev] A question about CSAM/PATM

Sander van Leeuwen sandervl at innotek.de
Fri Jan 4 00:45:23 PST 2008


This was done on purpose to avoid having to modify too much code. (and 
monitoring those pages for updates)
Instructions like 'call edi' can in theory call any address so all of 
them would need to be caught and checked.
Experiments with analysing more code have shown little benefit with 
potentially high performance overhead.

Zhi Wang wrote:
> Hi,
> I am a graduate student and we are trying to do some research with
> VirtualBox-OSE. When reading the CSAM/PATM code, I am confused by the
> following CSAM behavior: When CSAM analyises the code, it will skip
> any indirect CALL like the one in the following log. This is
> consistent with the code (src/VBox/VMM/PATM/CSAM.cpp, line 1189). The
> code will scan new code for simple direct jump and call, and also the
> indirect call that only uses 32bit displacement. IMHO, when CSAM meets
> a indirect call, it should stop scanning the code then call PATM to
> patch it since we don't know the destination at the time of code
> scanning and patching. I guess, from the comments, this is because it
> won't cause any trouble for all the currently supported OS. Please let
> me if I am wrong. Thanks.
> The following is the log generated by VirtualBox with VBOX_LOG set to
> CSAM.e.l.f+PATM.e.l.f:
>        CSAM Analysis: C01037D1:            mov EAX,ESP
>            [89 E0]
>        csamMarkCodeAsScanned c01037d1 opsize=2
>        CSAM Analysis: C01037D3:            call EDI
>                   [FF D7]
>        csamMarkCodeAsScanned c01037d3 opsize=2
>        Control Flow instruction at c01037d3: call!!
>        CSAM Analysis: C01037D5:            jmp [C0102B5C] (0FFFFF382h)
>    [E9 82 F3 FF FF]
>        csamMarkCodeAsScanned c01037d5 opsize=5
>         New page record for c0102000
>         csamCreatePageRecord c0102000 HCPhys=00102000
>         csamAnalyseCodeStream: code at c0102b5c depth=1
>         CSAM Analysis: C0102B5C:           mov EBP,0FFFFE000h
>        [BD 00 E0 FF FF]
>         csamMarkCodeAsScanned c0102b5c opsize=5
>         CSAMMarkPage c0102b5c
>         CSAM Analysis: C0102B61:            and EBP,ESP
>               [21 E5]
>         csamMarkCodeAsScanned c0102b61 opsize=2
> Best regards,
> beiyuw
> _______________________________________________
> vbox-dev mailing list
> vbox-dev at virtualbox.org
> http://vbox.innotek.de/mailman/listinfo/vbox-dev

Kind regards / mit freundlichen Gruessen / Met vriendelijke groet
  Sander van Leeuwen

innoTek GmbH

More information about the vbox-dev mailing list