-
Notifications
You must be signed in to change notification settings - Fork 257
Intel Processor Trace
IPT is an extension of the x64 architecture that allows you to get a deep insight into the software execution.
DRAKVUF supports recording IPT streams on up to 16 vCPUs.
Support for IPT is implemented by the ipt plugin, which can be enabled by passing -a ipt flag.
Acquired traces can be further processed by libipt.
Install Xen >=4.15.
Add a new entry to the domain configuration:
vmtrace_buf_kb = 8192
vmtrace_buf_kb controls size of IPT stream buffer per vCPU.
IPT plugin can be configured with command line options:
-
--ipt-dir- the directory where IPT streams are stored. files are named "ipt_stream_vcpu?" where ? is the id of the vCPU (required, otherwise plugin won't start) -
--ipt-trace-osenable tracing when CPL = 0, i.e. the operating system (optional) -
--ipt-trace-userenable tracing when CPL > 0, i.e. userspace (optional)
DRAKVUF supplements recorded streams with some additional metadata useful for decoding and correlating the streams. Annotations are performed by injecting a PTWRITE packet with an 8 byte payload.
Upper 32 bits contain the annotation type. Lower 32 bits contain some additional data (if the annotation requires it).
in psudocode:
decode(u64 payload)
{
u32 type = payload >> 32;
u32 data = payload & 0xffffffff;
}
Annotation types:
-
PTW_CURRENT_CR3(0xC3000000) - data: current CR3 -
PTW_CURRENT_TID(0x1D000000) - data: current TID -
PTW_EVENT_ID(0xCC000000) - data: last DRAKVUF event ID that occurred -
PTW_ERROR_EMPTY(0xBAD10000) - data: none, IPT generated no data