How to watch registers and instructions at Windows10
Posted: Fri Feb 02, 2018 7:43 am
We would like to write code to watch and record the information of all the registers such as eax,ecx and instructions (we need record all the instructions the cpu is executing) so that we can use Machine Learning method to identify whether some instruction sequence are the Malicious instructions.
1. We used to alter translate.c from QEMU to record intermediate information including registers and instructions,that is to say ,we will record all the information while QEMU translate instructions from the virtual machine on QEMU to real computer.
2. But collecting information from the virtual machine QEMU is less inefficiency than the real machine,so we plan to write code so that we can collect all the information in Win10 on real computer.
3. The problem is that we write code to obtain the value of PC register,but the value is always the address of next line in our code,We don't know how to watch instructions(or code) of other parallel execution programs that CPU is executing?
would you mind to give some ideas,thanks!
1. We used to alter translate.c from QEMU to record intermediate information including registers and instructions,that is to say ,we will record all the information while QEMU translate instructions from the virtual machine on QEMU to real computer.
2. But collecting information from the virtual machine QEMU is less inefficiency than the real machine,so we plan to write code so that we can collect all the information in Win10 on real computer.
3. The problem is that we write code to obtain the value of PC register,but the value is always the address of next line in our code,We don't know how to watch instructions(or code) of other parallel execution programs that CPU is executing?
would you mind to give some ideas,thanks!