search for: kernelstrider

...> There is an interesting TODO item on MmioTraceDeveloper page: > "kprobes has a generic instruction decoding facility, use that instead of > homebrewn (or KVM), and use emulation instead of page faulting" > > Actually, I have done something similar in one of my systems, KernelStrider > (http://code.google.com/p/kernel-strider/). The system instruments a kernel > module when that module is being loaded. The instrumented code executes > instead of the original one and provides information about the memory > accesses it makes and the functions it calls. These data are...

...estions, comments and other feedback are welcome of course. > > And, by the way, video drivers do not use SSE and similar instructions when > accessing ioremapped memory, do they? > Such things are rare in the kernel and usually frowned upon so I opted not > to handle them so far in KernelStrider. I don't really know. I guess everything could be possible in proprietary drivers, but you can look at the instruction decoding code in mmiotrace, which digs up the type and size of access and the value. That has been enough so far. Thanks, pq > 2013/10/17 Pekka Paalanen <pq at iki.fi...

...ct 2013 17:12:20 +0400 Eugene Shatokhin <euspectre at gmail.com> wrote: > Hi, > > > Ah, you are not using the ftrace framework nor relayfs? Mmiotrace > used to be relayfs at one point and then converted to ftrace. > > Yes, I considered these when I started working on KernelStrider but finally > borrowed ideas from Perf and implemented them. A mmapped ring buffer does > its job well and has a higher throughput than Ftrace in my case. > > > Are you saying that you intercept function calls, and *never* rely > > on page faulting? > > The system inter...

Hi, > Ah, you are not using the ftrace framework nor relayfs? Mmiotrace used to be relayfs at one point and then converted to ftrace. Yes, I considered these when I started working on KernelStrider but finally borrowed ideas from Perf and implemented them. A mmapped ring buffer does its job well and has a higher throughput than Ftrace in my case. > Are you saying that you intercept function calls, and *never* rely > on page faulting? The system intercepts both function calls *and* mem...

...ill be before that. Suggestions, comments and other feedback are welcome of course. And, by the way, video drivers do not use SSE and similar instructions when accessing ioremapped memory, do they? Such things are rare in the kernel and usually frowned upon so I opted not to handle them so far in KernelStrider. Regards, Eugene 2013/10/17 Pekka Paalanen <pq at iki.fi> > On Mon, 14 Oct 2013 22:45:09 +0400 > Eugene Shatokhin <euspectre at gmail.com> wrote: > > > Hi, > > > > There is an interesting TODO item on MmioTraceDeveloper page: > > "kprobes has...

...net... I haven't thought that through yet. I suppose, I'll look at the code first when I have time and try to understand at least the common ways for a driver to access mmio areas. It will be clearer then how to make sure we do not lose anything. And - if it is possible with the techniques KernelStrider uses. > > We could use some comments from the real reverse-engineers. I used > to be mostly a tool writer. > Yes, if some experts could share their knowledge of this matter, this would be most welcome! Regards, Eugene P.S. If you are interested, more info concerning KernelStrider...