QEMU Monitor
The QEMU monitor can be used to inspect and modify the VM state. For an overview of available comments, see the QEMU Manual. This monitor is built-in and doesn't require an external debugger like GDB. Some common usage scenarios on how to use the QEMU monitor are listed below.
Running QEMU Monitor
Adding the argument -monitor [dev]
will start the qemu monitor and start a bash-like shell at the device. For example:
qemu -hda disk.img -monitor stdio #start monitor at current shell
qemu -hda disk.img -monitor telnet:127.0.0.1:[7777] #start monitor at different PC
Common usage
Registers
info registers
will print out the current state of all registers. Besides global regisers (EAX and EIP) it also list information about segments selector and descriptor tables. Below is a snippet of the output:
...
CS =0008 00000000 ffffffff 00cf9a00 DPL=0 CS32 [-R-]
DS =0010 00000000 000fffff 00c09300 DPL=0 DS [-WA]
...
- CS =0008
- Describes the segment selector. The code selector is using the second entry of the GDT (DS is using the third entry of the GDT)
- 00000000 fffffff
- The base and limit of the CS segment. Here the CS uses all of the available memory. If you have a look at DS segment, you will see that the limit is 0x000fffff
- 00cf9a00 DPL=0 CS32 [-R-]
- Flags of the segment. The first field show a summary of all flags combined. DPL, privilege level, can only run code using privilege level 1. CS32 means it is running in 32bit mode. In case you are running real mode, CS16 would show up. The last field is particularly interesting as it shows the access rights, [-R-], read-only
Memory
Similar to GDB, x/Nx [addr]
will show N words starting at address [addr]. For example, to see what is loaded in memory after 0x7C00 (bootloader):
(qemu) x/12x 0x7C00
00007c00: 0x7d121688 0x898000bd 0x7d13bbec 0xe8000ee8
00007c10: 0x68bb00e1 0x0005e87d 0xeb008ee8 0x8a0eb4fe
00007c20: 0x74003c07 0x01c38307 0xf1eb10cd 0xb45260c3
To inspect an instruction at a certain memory location use i
instead. The format is similar: x/Ni [addr]
. For example, to see the an instruction at a certain place:
(qemu) x/i 0x7C00
0x00007c00: mov %dl,(%esi)
Note: x
normally inspects a virtual or linear addresses. In case paging is set up, xp
can be used to assure to display the physical address.
Read I/O ports
QEMU can also be used to read and write to I/O ports. For example, to check the values of the first PIC:
(qemu) i/i
portb[0x0020] = 0x11