How to use single step mode in QEMU?

Question

I am new to qemu and I read that it allows for a singlestep mode emulation. This is helpful because I am trying to dump some addresses of the physical ram every cycle. Unfortunately, the qemu documentation is very bad. I know how to enable the singlestep mode from the qemu monitor but I have no idea where to put the code that I want to execute at every step. Does anyone have any information about this?

Answer 1

You can use gdb to attach to the guest with the

--gdb tcp::

option to qemu and then use

$ gdb <binary>
(gdb) symbol-file <sym file>
(gdb) target remote <host>:<port number>
(gdb) b <function>
(gdb) c

'b' sets a breakpoint. 'n' 's' 'i' can be used to step though the code. Entering "info" in gdb mode will show more info

Answer 2

http://www.xenproject.org/help/questions-and-answers/problem-with-vga-passthrough.html

From above link is the command line option for entering singlestep modes for QEMU. Next is to get the source code for QEMU (http://wiki.qemu.org/Download)

The function monitor.c:do_singlestep(Monitor *mon, const QDict *qdict)

just simply set a flag "singlestep". Note this is not the same as the "singlestep_enabled", which is to emulate hardware singlestep emulation.

(global var is declared in vl.c).

Now look into all the functions in targt-i386/translate.c - where "singlestep" flag are tested are:

    if (singlestep) {
        gen_jmp_im(pc_ptr - dc->cs_base);
        gen_eob(dc);
        break;
    }

This is the place where the binaries are either executed (or "translated" to be more exact), or otherwise hardware exception raised and handler (for example). If there is any behavior you want to modify perhaps u can try here?