QEMU Syscall Tracer & NV-Trace

Demo Video

Core Capabilities

🔍 Multi-Level Analysis

4 analysis levels: Raw dump, thread-grouped, privacy-preserving, and real-time streaming. Choose the right abstraction for your debugging needs.

Level 0: Raw event dumper
Level 1: Thread-grouped with pairing
Level 2: Privacy-preserving (masked TIDs)
Level 3: Real-time streaming

⚙️ QEMU Integration

Modified QEMU emulator intercepts syscalls at CPU level. Captures registers, stack, and memory payloads with real-time output.

CPU-level syscall interception
Complete execution context capture
TCP socket streaming (port 12345)
Binary trace file output

🏗️ Dual Architecture

Comprehensive support for both RISC-V and x86_64 architectures with architecture-aware syscall number resolution.

RISC-V 64-bit (303 syscalls)
x86_64 (174 syscalls)
Register mapping per architecture
Cross-platform compatibility

⚡ Real-Time Monitoring

Live trace streaming from running QEMU VM with network-based event delivery and immediate analysis.

Live streaming from QEMU
TCP network protocol
O(threads) memory efficiency
Immediate event processing

📊 Deep Syscall Parsing

20+ syscall types with structure decoding including stat, uname, execve, getdents64 parsing and mmap/mprotect flag decoding.

File operations (openat, read, write)
Process management (execve, clone)
Memory mapping (mmap, mprotect)
String extraction & formatting

🧵 Thread-Aware Analysis

Tracks clone/fork/vfork correctly, pairs syscall entry/exit events, and handles signal handlers with nested contexts.

Clone/fork/vfork tracking
Entry/exit event pairing
Signal handler support
Deterministic TID masking

Quick Start

Build and run the syscall tracer in just a few commands:

# Build QEMU syscall tracer
cd qemu-syscall-tracer/build
../configure --target-list=x86_64-softmmu,riscv64-softmmu
make -j$(nproc)

# Run with tracing enabled
./qemu-system-riscv64 -kernel vmlinux -nographic

# Analyze trace (real-time mode)
nv-trace -a riscv -l 3 -r

# Analyze trace file
nv-trace -a riscv -l 1 lk_trace.data

Architecture Overview

┌─────────────────────────────────────────────────────┐
│  qemu-syscall-tracer (Modified QEMU)                │
│  - Intercept syscalls (x86_64 + RISC-V)             │
│  - Capture complete context + payload               │
│  - Output binary trace_event_t stream               │
└──────────────────┬──────────────────────────────────┘
                   │
                   ├─ socket (localhost:12345) ──┐
                   │                             │
                   └─ file (lk_trace.data) ──────┤
                                                  │
                   ┌──────────────────────────────┘
                   ▼
┌─────────────────────────────────────────────────────┐
│  nv-trace (Trace Analyzer)                          │
│  - Parse binary trace files                         │
│  - 4-level analysis (Raw/Grouped/Masked/Streaming)  │
│  - Format 20+ syscall types                         │
│  - Thread-aware pairing                             │
│  - Real-time/offline analysis                       │
└─────────────────────────────────────────────────────┘
                   │
                   ▼
              Human-Readable Output
         (Similar to strace but more powerful)

Technology Stack

QEMU C++ RISC-V x86_64 Binary Protocol TCP Sockets LLVM System Programming

Use Cases

Kernel Debugging

Trace kernel boot sequences and system initialization. Understand kernel-userspace interactions at the syscall boundary.

Security Analysis

Monitor malware behavior and detect suspicious syscall patterns. Analyze exploit attempts and privilege escalation.

Performance Profiling

Identify syscall bottlenecks and I/O inefficiencies. Optimize application performance by analyzing system interactions.

Reverse Engineering

Analyze unknown binary behavior through syscall observation. Understand closed-source application internals.