We would like to write code to watch and record the information of all the registers such as eax,ecx and instructions (we need record all the instructions the cpu is executing) so that we can use Machine Learning method to identify whether some instruction sequence are the Malicious instructions.
1. We used to alter translate.c from QEMU to record intermediate information including registers and instructions,that is to say ,we will record all the information while QEMU translate instructions from the virtual machine on QEMU to real computer.
2. But collecting information from the virtual machine QEMU is less inefficiency than the real machine,so we plan to write code so that we can collect all the information in Win10 on real computer.
3. The problem is that we write code to obtain the value of PC register,but the value is always the address of next line in our code,We don't know how to watch instructions(or code) of other parallel execution programs that CPU is executing?
would you mind to give some ideas,thanks!
How to watch registers and instructions at Windows10
Re: How to watch registers and instructions at Windows10
Hi,
I've never written one, but it sounds like you need to write a hypervisor.
Cheers,
Adam
I've never written one, but it sounds like you need to write a hypervisor.
Cheers,
Adam
Re: How to watch registers and instructions at Windows10
Hi,
OpenVMS had Xdelta and you can use Xdleta to single step instruction by instruction. OpenVMS is something i am most familiar with due to reasons I cannot disclose. There should be something available for all platforms. May be a kernel debugger is all you need, You can possibly write scripts to do powerful things. This is just a suggestion, if need to do something pre boot then it is not an option.
--Thomas
OpenVMS had Xdelta and you can use Xdleta to single step instruction by instruction. OpenVMS is something i am most familiar with due to reasons I cannot disclose. There should be something available for all platforms. May be a kernel debugger is all you need, You can possibly write scripts to do powerful things. This is just a suggestion, if need to do something pre boot then it is not an option.
--Thomas
Re: How to watch registers and instructions at Windows10
OK,Thanks a lot! I'll take these ideas into consideration.Thomas wrote:Hi,
OpenVMS had Xdelta and you can use Xdleta to single step instruction by instruction. OpenVMS is something i am most familiar with due to reasons I cannot disclose. There should be something available for all platforms. May be a kernel debugger is all you need, You can possibly write scripts to do powerful things. This is just a suggestion, if need to do something pre boot then it is not an option.
--Thomas
Re: How to watch registers and instructions at Windows10
Thanks anyway,but maybe hypervisor is not suitable for us!AJ wrote:Hi,
I've never written one, but it sounds like you need to write a hypervisor.
Cheers,
Adam