[panda-users] Osi_linux plugin

Manolis Stamatogiannakis mstamat at gmail.com
Mon Apr 20 03:59:25 EDT 2015 

Hi Simone,

I'm not sure what your problem is. Maybe you want to look on my code here:
https://github.com/m000/panda/tree/9f9b430d8e0ef2b239a3dfc6e3263b4a6a5ac92f/qemu/panda_plugins/prov_tracer

In this plugin:
- The syscall definitions are translated in .c files using a python script.
- The .c files are compiled into dynamic libraries.
- A callback is inserted on SYSENTER/SYSEXIT instructions. Using the
dynamically loaded syscall specs, a string representation of the system
call is printed.

The plugin has grown substantially more complex after this point, so I
think that this commit it is a good starting point for what you want. Let
me know if that helped.

Regarding the order of execution of callbacks, I'm not sure but it should
be fairly easy to find out by reading the source. However, whatever you
find should probably be considered an implementation detail. I.e. if it is
not written in the docs, it is subject to change without notice. So your
code should preferrably not depend on the specific order.

Cheers,
Manolis

2015-04-19 7:04 GMT-07:00 Simone Mazzoni <simone.mazzoni13 at gmail.com>:

> Hi Manolis,
>
> I think I got the problem.
> In my plugin I called the get_current_process() in a function executed
> every time a PANDA_CB_INSN_EXEC callback was called. In the osi_test the
> get_current_process() function is called every time is called
> a PANDA_CB_BEFORE_BLOCK_EXEC callback. If i call the get_current_process()
> within the PANDA_CB_BEFORE_BLOCK_EXEC callback, all works fine and I get
> the name of the current process in execution.
>
> Now I have another problem.
> My original purpose is to track the system calls invoked by a specific
> process.
> In my windows version of the plugin, I do this thing by:
> - intercept if the current instruction is SYSENTER (checking the op code
> in the PANDA_CB_INSN_TRANSLATE callback)
> - if I'm in SYSENTER, I call the get_current_process() function after
> every PANDA_CB_INSN_EXEC callback to check if the PID or PROCESS_NAME is
> the desired one, and if it is, I print out the value of the EAX register.
>
> I will put my plugin source code as attachment so as you can better
> understand.
>
> I tried to do the same in the plugin for linux using the osi_linux, but it
> does not work. How can I accomplish my goal?
>
> I have also another question, the PANDA_CB_INSN_EXEC callback, is called
> before or after the PANDA_CB_BEFORE_BLOCK_EXEC?
>
> Thanks.
>
> - Simone
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150420/deee8fec/attachment.htm

More information about the panda-users mailing list