Hello friends, I intend to use Qemu to generate a memory trace for the execution of a x86 guest operating system.
According to tcg wiki page, Qemu uses a handful of helpers to generate load/stores to the target(guest) memory.
This list of instructions is tcg_gen_qemu_ld8s/u, tcg_gen_qemu_ld16s/u, tcg_gen_qemu_ld32s/u, tcg_gen_qemu_ld64. (We have a similar set for store instructions). I am trapping all calls to the above functions in the target-i386/translate.c file
However, I am still missing load/stores of certain instructions like cmp ecx, [r12+0x4] mov r10b, [r13+0x0] mov byte [rax+0xf0000], 0x0 mov byte [rax+rdx], 0x0
Questions :: 1) Can someone please point to other load/store points (direct or indirect) that I am missing ??
2) Does qemu provide a single entry point function for accesses to guest memory (like guest_read()) which can be instrumented for tracing all loads from the guest memory ??? 3) Can somebody please point to a good documentation where I can understand how qemu maintains the state of the guest memory ??