[panda-users] Osi_linux plugin
Simone Mazzoni
simone.mazzoni13 at gmail.com
Thu Apr 16 14:06:53 EDT 2015
64bit?
The OSI plugin work only for x86 OSes, am I wrong?
Anyway my host system is a 64bit OS while the OS I want introspect is 32
bit. I hope it work.
Thanks for the help,
- Simone
Il giorno gio 16 apr 2015 17:55 Manolis Stamatogiannakis <mstamat at gmail.com>
ha scritto:
> There is a default kernel group hardwired in the source.
>
> You should point to the proper kernel group of your kernelinfo using the
> kconf_group parameter. You can also point to the exact location of your
> kernelinfo with the kconf_file parameter (but usually a softlink is faster
> :) : "osi;osi_linux:kconf_file=...,kconf_group=...;osi_test"
>
> Btw, you don't have to manually extract and parse the dmesg output.
> kernelinfo_parse.py script does this for you, so you only need to append
> its output to your kernelinfo file. Also, make sure that your guest OS is
> also 64 bit.
>
> Cheers,
> Manolis
>
>
>
> 2015-04-16 7:51 GMT-07:00 Simone Mazzoni <simone.mazzoni13 at gmail.com>:
>
> Hi Manolis,
>>
>> I created the kernelinfo.conf file, but I do not understand where I have
>> to put it in order to make the osi_linux plugin work.
>> It gives me this error when I try to run panda with this command line
>> --> ./qemu-system-x86_64 -m 1G -monitor stdio -hda ../../../challdeb.img
>> -loadvm booted -panda 'osi;osi_linux;osi_test'
>>
>> What am I doing wrong?
>>
>> Thanks
>>
>> -Simone
>>
>> Il giorno gio 16 apr 2015 alle ore 15:36 Simone Mazzoni <
>> simone.mazzoni13 at gmail.com> ha scritto:
>>
>>> Hi,
>>>
>>> I extracted the parameters from the OS kernel that I want introspect.
>>>
>>> The parameters are these:
>>>
>>> Apr 14 22:38:24 polictf kernel: [ 3533.872169] --KERNELINFO-BEGIN--
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873067] name = #1 SMP Debian
>>> 3.2.65-1+deb7u2 i686
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873114] task.size = 1060
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873249] #task.init_addr =
>>> 0xC13E2FE0
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873279] task.init_addr =
>>> 3242078176
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873310] task.task_offset = 0
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873356] task.tasks_offset = 212
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873394] task.pid_offset = 292
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873420] task.tgid_offset = 296
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873447] task.group_leader_offset
>>> = 328
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873475] task.thread_group_offset
>>> = 384
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873504] task.real_parent_offset =
>>> 304
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873532] task.parent_offset = 308
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873559] task.mm_offset = 240
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873586] task.stack_offset = 4
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873615] task.real_cred_offset =
>>> 504
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873642] task.cred_offset = 508
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873668] task.comm_offset = 516
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873693] task.comm_size = 16
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873722] cred.uid_offset = 4
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873749] cred.gid_offset = 8
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873774] cred.euid_offset = 20
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873813] cred.egid_offset = 24
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873842] mm.mmap_offset = 0
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873867] mm.pgd_offset = 36
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873901] mm.arg_start_offset = 152
>>> Apr 14 22:38:24 polictf kernel: [ 3533.873970] mm.start_brk_offset = 140
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874004] mm.brk_offset = 144
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874032] mm.start_stack_offset =
>>> 148
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874078] vma.vm_mm_offset = 0
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874104] vma.vm_start_offset = 4
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874133] vma.vm_end_offset = 8
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874161] vma.vm_next_offset = 12
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874187] vma.vm_flags_offset = 28
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874215] vma.vm_file_offset = 80
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874242] fs.f_dentry_offset = 12
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874268] fs.f_path_offset = 8
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874293] fs.d_name_offset = 20
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874320] fs.d_iname_offset = 36
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874347] fs.d_parent_offset = 16
>>> Apr 14 22:38:24 polictf kernel: [ 3533.874369] ---KERNELINFO-END---
>>>
>>> At this point, if I am not wrong, I have to edit the kernelinfo.conf
>>> file with the new parameters. It is right or there are other things to do?
>>>
>>> Thanks.
>>>
>>> - Simone
>>>
>>> Il giorno mer 15 apr 2015 alle ore 20:41 Manolis Stamatogiannakis <
>>> mstamat at gmail.com> ha scritto:
>>>
>>>> When you run the plugin, kernelinfo.conf must exist in your current
>>>> directory. So just soft-link it from the source directory of the plugin.
>>>>
>>>> In your case however, the stock kernelinfo.conf won't work because it
>>>> currently contains only information for the 32bit kernel used by debian
>>>> stable.
>>>> So you have to compile the kernelinfo module in a guest running
>>>> (ideally) the same kernel you want to introspect.
>>>> Then insert it into the kernel (insertion always fails) and use the
>>>> supplied python script to extract the offsets for that kernel.
>>>>
>>>> The offsets should then be appended to kernelinfo.conf. Also make a
>>>> pull request for the updated kernelinfo.conf when you do this.
>>>>
>>>> IIRC, the kernelinfo module had some glitches which prevented it from
>>>> compiling in recent kernels (e.g. 3.20). So if you encounter any problems,
>>>> drop me an email so that I expedit making a pull request for the fixed
>>>> version.
>>>>
>>>> Cheers,
>>>> M.
>>>>
>>>>
>>>>
>>>>
>>>> M.
>>>>
>>>> 2015-04-15 8:26 GMT-07:00 Simone Mazzoni <simone.mazzoni13 at gmail.com>:
>>>>
>>>>> Hello,
>>>>>
>>>>> I tried to use the osi_linux plugin to get the current process in
>>>>> execution but it seems not to work.
>>>>> I tried to execute panda with -panda 'osi;osi_linux;osi_test' but it
>>>>> gives me the following error:
>>>>>
>>>>>
>>>>> Any idea of the reason?
>>>>>
>>>>> I noticed see that the plugin contain a "utils/kernelinfo" folder that
>>>>> should contain a script or something to extract the correct offset of the
>>>>> running kernel, but I do not understand how to use it.
>>>>>
>>>>> I tried running the osi_test on an Debian SO and on a Ubuntu 14.04 SO.
>>>>>
>>>>> Thanks for the help.
>>>>>
>>>>> - Simone
>>>>>
>>>>> _______________________________________________
>>>>> panda-users mailing list
>>>>> panda-users at mit.edu
>>>>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>>>>
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150416/cc2b8a9a/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Schermata 2015-04-15 alle 17.23.00.png
Type: image/png
Size: 121425 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150416/cc2b8a9a/attachment-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2015-04-16 16:50:14.png
Type: image/png
Size: 96902 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150416/cc2b8a9a/attachment-0003.png
More information about the panda-users
mailing list