OSDev.org
https://forum.osdev.org/

How to get operand of instruction using qemu
https://forum.osdev.org/viewtopic.php?f=1&t=32931
Page 1 of 1

Author:  wlmnzf [ Sat May 12, 2018 5:44 pm ]
Post subject:  How to get operand of instruction using qemu

I would like to get the operand of an i386 instruction that is executed in my QEMU guest. for example ,I'd like to get the operand
Code:
0x400400
of
Code:
40053a:e8 c1 fe ff ff      callq  400400 <puts@plt>
,But it seems that I can not find the C FUNCTION used to get the operand.

Author:  Schol-R-LEA [ Sun May 13, 2018 7:45 am ]
Post subject:  Re: How to get operand of instruction using qemu

The wording of your question is a bit confusing, because it isn't entirely clear what you are trying to find.

The operand for the CALL instruction (which in AT&T syntax becomes callq for a 64-bit system, at least in objdump - GCC and Clang are a bit different) is 0x400400, which is presumably the address of the puts() function.

Note that the C function isn't going to be visible except as a label with the function name - if that. While objdump is kind enough to give you the symbolic names of the functions and other labelled addresses when it can, it bases these on the symbol tables in the executable file, which in turn get them from the object or archive files the code was linked from. If the symbols have been removed from the executable file using strip or something similar, then it can't even do that.

OTOH, if you wanted the arguments being passed to puts(), those aren't part of the callq instruction at all. You would need to look at what was pushed onto the stack and/or moved into the argument registers¹ in the instructions preceding the call.

On the gripping hand, if you are looking for the code in QEMU itself that handles the calling... well, you'd need to look at the QEMU code. I am pretty sure that this last one wasn't what you wanted, but as I said, the wording was ambiguous.

Footnote
1. Depending on the Calling Convention used and the number of arguments passed. While there are several x86 calling conventions used by different OSes and compilers, today x86-64 systems almost exclusively use either the AMD64 convention, or the Microsoft/UEFI one.

Author:  iansjack [ Sun May 13, 2018 8:42 am ]
Post subject:  Re: How to get operand of instruction using qemu

You're looking at a call to a function in a dynamic library. The way this works is rather involved, and depends upon whether the function has already been called or not. So just finding the address may not give you all that you want.

It might help if you could explain exactly why you want this value, and in what environment you are running when you want it. I doubt that it is in your own OS because if you knew enough to be able to load dynamic libraries and call functions in them you probably wouldn't need to ask the question. The short answer is that the best way to trace the function call would be by single-stepping in gdb.

Tell us more about what exactly you are doing and what is the real question behind the one you ask.

Page 1 of 1 All times are UTC - 6 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/