Kernel, Virus and Programming

grub is slow on bochs

if grub is running slowly on bochs, try to add “–no-rs-codes” to your grub-bios-setup command. It will be 0.5 sec versus 5 seconds different.


2015/08/02 0

gcc can’t handle too much #if macro

gcc can’t handle too much macro (#if, #define), the output dwarf will have wrong line number. So when you disassemble the assembly with c/c++ source, everything are wrong, including wrong line number, wrong assembly code to c source code, duplicated c/c++ line. https://github.com/gcc-mirror/gcc/blob/master/libgcc/libgcc2.c   In GKD, i add an on/off button to filter out those…
Read more


2015/08/02 1

GKD is running fast with bochs instrumentation stub now

GKD is running fast with bochs instrumentation stub now, it captures all jmp/call/int/ret, all instructions that change you EIP. I am using H2 as the backbone database, every second can records over 100,000 instruction, which is pretty fast. Turn on subtitle when you are watching it:


2015/07/26 0

Nazi gun tower


2015/07/13 0

Getting the parameters by parsing the dwarf directly

I used another two months to getting correct location of each parameter of a functions. Mission sounds stupid, the timeframe i spent sounds stupid. If I use GDB, i perhaps never know how parameters are stored in memory. Now i know how computer ACTUALLY works. People think the parameters are store in the stack, and…
Read more


2015/07/07 0

libelf include issue

When you meet this: Just comment out the following line in /toolchain/include/libelf/sys_elf.h When I build the libelf in mac and in linux, the output sys_elf.h is different, in mac, the above line is not exist, so my OS is able to compile. Peter.


2015/06/30 0

How to lookup the value of each parameter from dwarf and memory location

Here are the steps to lookup the parameter value 1) Look into the “info” section from dwarf, “objdump –dwarf=info”. There is a die DW_AT_LOCATION (DW_OP_freg:0), telling you the offset to the frame register. 2) Look at the CIE from .eh_frames section, “objdump –dwarf=frames”. It will tell you the formula of calculating the CFA, such as…
Read more


2015/06/18 1

Linux view csv command

alias csv=’column -s, -t’ csv your_file


2015/06/16 0

Successfully decode .eh_frame

Successfully decode .eh_frame, now able to calculate the base offset of each parameter, can keep going on profiling feature of GKD


2015/05/27 0

objdump 2.24 has bug

objdump 2.24 has bug, but this bug is fixed in 2.25. It dump the wrong address for my 32 bits kernel.


2015/05/22 1

Decoded first two instructions of .eh_frame

Decoded first two instructions of .eh_frame, dwarf spec is lack of detail, need to hack into the objdump to understand each byte, it is time consuming.


2015/05/12 1

binutils compile error

If you compiling binutils and have these error, just remove d-exp.c and try again. d-exp.c should be generated by d-exp.y but binutils makefile won’t delete it during “make distclean”


2015/05/03 0

Tsinghua ucore kernel with GKD

I talked to Professor Chen from Tsing Hua (http://media.cs.tsinghua.edu.cn/cn/cheny), i tried their education kernel (https://github.com/chyyuu/ucore_lab). I modified a little bit their Makefile so that it can be compiled in Mac and debug using my GKD debugger.


2015/04/30 0

I finally understand why “DW_OP_fbreg: 0” is possible

In the following function kmalloc2, take a look the first parameter, the memory location of that parameter is stated by dwarf “DW_AT_location : 2 byte block: 91 0 (DW_OP_fbreg: 0)”, where “DW_OP_fbreg: 0” means stack+0. I was thinking why it is possible. Because when cpu executed call instruction, it already pushed 4 bytes into the…
Read more


2015/04/14 0

objdump has bug

objdump command has bug, i tried to use this command “objdump -dS kernel” to display mixed assembly and c code. But objdump has bug, it dump the same piece of c source code in two different memory locations. I double checked the dwarf data, nothing wrong. On more prove the dwarf is correct, my GKD…
Read more


2015/04/11 0

I finally understand why same parameter even has multiple locations

I finally understand why same parameter even has multiple locations. My pass concept is parameter stay in the stack. But after hacking the dwarf, it show me same parameter have multiple location during execution. Take a look below image, I wrote a function call kmalloc2 (blue arrow), the third parameter “size” has three locations (yellow…
Read more


2015/04/07 1

Finally can dump out the parameter type from dwarf standard

Finally can dump out the parameter type from dwarf standard. Some parameter is store recursively, so need to read out DW_AT_type and get the right die and decode again. Personally I think dwarf is just too hard to parse. Here is the code https://sourceforge.net/p/peter-dwarf/code/254/tree//trunk/src/main/java/com/peterdwarf/dwarf/DwarfLib.java https://sourceforge.net/p/peter-dwarf/code/254/tree//trunk/src/main/java/com/peterdwarf/dwarf/Dwarf.java


2015/03/29 0

This is how to decode dwarf DT_Type

This is how to decode dwarf DT_Type


2015/03/23 1

heading toward to decode the range address of dwarf

heading toward to decode the range address of dwarf, this job is killing me. And I found the information in die is not always meaningful, see below.


2015/03/22 1

Fixed ubuntu vnc keymap problem

ubuntu 12.04 vnc keymap has trouble, D become minimize all windows and S become start menu, run these to fix it.


2015/03/19 0

compile dwarfdump in mac

CFLAGS=’-I /opt/local/include -L /opt/local/lib’ CXXFLAGS=’-I /opt/local/include -L /opt/local/lib’ ./configure –prefix=/peter-dwarfdump make make install Because mac gcc doesn’t search for the /opt/local, so need to specific the path manually.


2015/03/07 0

Peter-dwarf library can show hierarchy data for compile unit now

Peter-dwarf library can show hierarchy data for compile unit now


2015/02/15 1

Thinkaholic open source event 2015/2/10

Thinkaholic open source event 2015/2/10


2015/02/15 0

I should look at this

I should look at this printf -> _fstat -> _sbrk -> write


2015/02/07 0

now is good enough

now is good enough, can focus on library things


2015/01/22 0

tomcat auto startup script

just save this to /etc/init.d/tomcat and link to /etc/rc5.d/S99tomcat


2015/01/21 0

disable gnome “unable to mount…” dialog

gsettings set org.gnome.desktop.media-handling automount false …and enable it again: gsettings set org.gnome.desktop.media-handling automount true


2015/01/14 0

Elf is having duplicate compile unit, why ld doesn’t clear it out?

Elf is having duplicate compile unit, why ld doesn’t clear it out?


2015/01/09 0

why i receive zero in my socket

I have two programs, one written in c++, the other is in java. C++ keep sending bytes to java, overtime write out 400KB. Java keep receiving the data using the readBytes function, this function returns an integer which is the number of byte it actually read for the function call. For every send (400kb) in…
Read more


2015/01/08 0

The jump profiling is little bit enhanced

The jump profiling is little bit enhanced. After load up the ELF kernel, it can read out all symbols and display it in the jump profiling window. It helps people to tracing where the EIP jumping to which c++ function.


2015/01/03 0

Empty bochs instrument crash in linux, but not in mac

Empty bochs instrument crash in linux, but not in mac. My instrument code is nearly empty. core dump: configure: run by: bochsrcSDL.bxrc: instrument.h: instrument.cc:


2014/12/25 0

Java has bug again

Java has bug again. After you installed idk 1.8u25 in your mac, open Eclipse.app/Contents/MacOS/eclipse.ini, you will see: -vm /Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home But actually this line has no effect, when you run eclipse with -console -debug, you still see it is running use idk 1.6 “-vm /System/Library/Frameworks/JavaVM.framework”. To fix it, change that line to -vm /Library/Java/JavaVirtualMachines/jdk1.8.0_25.jdk/Contents/Home/bin/java Peter.


2014/12/22 0

make bochs runs faster

Without “CXXFLAGS=-O3”, boots can only runs 20M ips on my i5 mbpr. With that, now is 57M ips.


2014/12/14 0

volatile keyword is not everything to prevent compiler optimization

When you add the keyword “volatile” in front of variable declaration, it prevents compiler to optimize the line that are using that variable. But if the line is completely useless, compiler will still optimized it out, prevent to generate any byte code for it.


2014/12/10 0

bochs problem again

I am unable to get the “” from the input stream. Please help. In command line, when i start bochs, I saw “”, which is very normal. But if i use java to read it out, i never got the . I tried different classes (BufferedReader, InputStream), none of them success.


2014/11/22 0

My proposal to Bochs team

Dear Bochs Team My name is Peter, the author of GKD, prior call peter-bochs. Peter-Bochs parses the bochs debugger output. During the last 3 years, I am busy to support each version of bochs because the output of bochs debug command is different. I want to format the bochs debugger command output to xml, so…
Read more


2014/11/16 0

Tutorial : Add a debug command in bochs

This tutorial teach you how to add a debug command in boots, you need to touch these files only: debug.h dbg_main.cc lexer.l parser.y Step 1) First of all, you need to add your command (see below) to lexer.l, don’t add anything below the line “[A-Za-z_][A-Za-z0-9_]* { bxlval.sval = strdup(bxtext); return(BX_TOKEN_GENERIC); }”, because it will eat…
Read more


2014/11/15 0

bochs can’t compile in mac (solved)

bochs can’t compile in mac because the configure always set gui_debugger=1, just set this variable to 0 in line 22459. Bochs can be compile in mac with “./configure –enable-disasm –with-sdl –enable-debugger”


2014/11/15 0

${new} will cause error in old tomcat 7

Below code has error, because the ${new} will crash old tomcat 7. JSTL has bug.


2014/11/14 0