gdb-pt-dump

gdb-pt-dump is a gdb script to enhance debugging of a QEMU-based virtual machine.

The repository also includes pt_host which is a BPF program that allows for examining the page tables of a Linux process.

Supported architectures

Supported architectures: x86-64, x86-32, aarch64, riscv64.

Features

Dumping a page table from a specific guest physical address.
Merging semantically-similar contiguous memory.
Provide detailed architectural information: writeable, executable, U/S, cacheable, write-back, XN, PXN, etc
Cache collected information for future filtering and printing.
Filter page table information via page attributes (x, w, u, s, ...) and virtual addresses (before, after, between)
Search memory very fast using /proc/QEMU_PID/mem. Search for string, u8, u4 Search is applied after filter.
Filter-out search results by address alignment. Useful for filtering-out SLAB allocations.
Try to determine KASLR information by examining the address space.
Find virtual memory aliases.
Dump host page tables via pt_host.py

How to use

The script is standalone.

For now, do source PATH_TO_PT_DUMP/pt.py.

For details, just do help pt in gdb.

Examples

x86_64: Only user space pages

x86_64: Only executable pages

aarch64: User space accessible pages

aarch64: write or executable pages

aarch64: only executable pages

Saved page tables

Possible issues

Old QEMU versions seem to not provide access to privileged registers like cr3. Thus, the page table address would need to be retrieved in some other way.

martinradev / gdb-pt-dump

readme