How to get operand of instruction using qemu

Question about which tools to use, bugs, the best way to implement a function, etc should go here. Don't forget to see if your question is answered in the wiki first! When in doubt post here.
Post Reply
wlmnzf
Posts: 4
Joined: Fri May 05, 2017 8:09 pm

How to get operand of instruction using qemu

Post by wlmnzf »

I would like to get the operand of an i386 instruction that is executed in my QEMU guest. for example ,I'd like to get the operand

Code: Select all

0x400400
of

Code: Select all

40053a:e8 c1 fe ff ff      callq  400400 <puts@plt>
,But it seems that I can not find the C FUNCTION used to get the operand.
User avatar
Schol-R-LEA
Member
Member
Posts: 1925
Joined: Fri Oct 27, 2006 9:42 am
Location: Athens, GA, USA

Re: How to get operand of instruction using qemu

Post by Schol-R-LEA »

The wording of your question is a bit confusing, because it isn't entirely clear what you are trying to find.

The operand for the CALL instruction (which in AT&T syntax becomes callq for a 64-bit system, at least in objdump - GCC and Clang are a bit different) is 0x400400, which is presumably the address of the puts() function.

Note that the C function isn't going to be visible except as a label with the function name - if that. While objdump is kind enough to give you the symbolic names of the functions and other labelled addresses when it can, it bases these on the symbol tables in the executable file, which in turn get them from the object or archive files the code was linked from. If the symbols have been removed from the executable file using strip or something similar, then it can't even do that.

OTOH, if you wanted the arguments being passed to puts(), those aren't part of the callq instruction at all. You would need to look at what was pushed onto the stack and/or moved into the argument registers¹ in the instructions preceding the call.

On the gripping hand, if you are looking for the code in QEMU itself that handles the calling... well, you'd need to look at the QEMU code. I am pretty sure that this last one wasn't what you wanted, but as I said, the wording was ambiguous.

Footnote
1. Depending on the Calling Convention used and the number of arguments passed. While there are several x86 calling conventions used by different OSes and compilers, today x86-64 systems almost exclusively use either the AMD64 convention, or the Microsoft/UEFI one.
Last edited by Schol-R-LEA on Mon May 14, 2018 7:58 am, edited 1 time in total.
Rev. First Speaker Schol-R-LEA;2 LCF ELF JAM POEE KoR KCO PPWMTF
Ordo OS Project
Lisp programmers tend to seem very odd to outsiders, just like anyone else who has had a religious experience they can't quite explain to others.
User avatar
iansjack
Member
Member
Posts: 4706
Joined: Sat Mar 31, 2012 3:07 am
Location: Chichester, UK

Re: How to get operand of instruction using qemu

Post by iansjack »

You're looking at a call to a function in a dynamic library. The way this works is rather involved, and depends upon whether the function has already been called or not. So just finding the address may not give you all that you want.

It might help if you could explain exactly why you want this value, and in what environment you are running when you want it. I doubt that it is in your own OS because if you knew enough to be able to load dynamic libraries and call functions in them you probably wouldn't need to ask the question. The short answer is that the best way to trace the function call would be by single-stepping in gdb.

Tell us more about what exactly you are doing and what is the real question behind the one you ask.
Post Reply