[panda-users] about asidstory plugin

Manolis Stamatogiannakis mstamat at gmail.com
Thu Apr 23 13:36:18 EDT 2015 

I'm not familiar with using PANDA for Android analysis, but I remember that
the older linux_vmi plugin suggested to piggyback the offset extraction
code in the init function of one of the modules of the goldfish kernel
which are loaded by default.

An example from their old code is commented at the end of DECAF_linux_vmi.c:
https://github.com/moyix/panda/blob/master/qemu/panda_plugins/linux_vmi/DECAF_linux_vmi.c#L806

M.


2015-04-23 8:32 GMT-07:00 Brendan Dolan-Gavitt <brendandg at gatech.edu>:

> Asidstory requires the OSI plugin to get information about the guest OS.
> Since you're running this on Android, which is Linux-based, you would want
> to use a command line like:
>
> -panda 'osi_linux;osi;asidstory'
>
> The osi_linux plugin needs a configuration file that specifies the offsets
> of various kernel data structure members. You can see an example here:
>
>
> https://github.com/moyix/panda/blob/master/qemu/panda_plugins/osi_linux/kernelinfo.conf
>
> Unfortunately getting this information for Android is tricky – the usual
> way is to load a kernel module that prints out the offsets for you. It is
> possible you can use some of the steps from Volatility's Android code to
> help out here, but there will be some extra work involved in getting the
> information in a form usable by osi_linux.
>
>
> https://github.com/volatilityfoundation/volatility/wiki/Android#build-a-volatility-profile
>
> Hope this helps,
> Brendan
>
> On Thu, Apr 23, 2015 at 3:33 AM, xiaojuan Li <xiaotan6666 at gmail.com>
> wrote:
>
>> Thanks.
>> i noticed the note in asidstory.cpp:"collect the set of asids (cr3 on
>> x86)..."
>> but now that PANDA uses qemu and do something to extend,  it seems can
>> translate micro ops to llvm, why replay android failed?
>>
>> 2015-04-23 3:24 GMT-04:00 Aleksandar Nikolich <anikolich at sourcefire.com>:
>>
>> Ah, I missed that you were trying to replay android . AFAIK asidstory
>>> requires a suitable os introspection plugin.
>>>
>>>
>>> On Thursday, April 23, 2015, Aleksandar Nikolich <
>>> anikolich at sourcefire.com> wrote:
>>>
>>>> Ah, I missed that you were trying to replay absurd. AFAIK asidstory
>>>> requires a suitable os introspection plugin.
>>>>
>>>> On Thursday, April 23, 2015, xiaojuan Li <xiaotan6666 at gmail.com> wrote:
>>>>
>>>>> Thanks first!
>>>>> the thing is i use the qemu-system-arm to replay,and i add the
>>>>> "win7x86intro" plugin, it does not work.(still segfault)
>>>>>
>>>>> 2015-04-23 3:12 GMT-04:00 Aleksandar Nikolich <
>>>>> anikolich at sourcefire.com>:
>>>>>
>>>>>> You need to add "win7x86intro" plug-in too and it should work.
>>>>>>
>>>>>>
>>>>>> On Thursday, April 23, 2015, xiaojuan Li <xiaotan6666 at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>> I tried the asidstory plugin: -replay ******* -panda 'asidstory'
>>>>>>> and then segfault:
>>>>>>>
>>>>>>> ************************************************************************************
>>>>>>> adding
>>>>>>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so
>>>>>>> to panda_plugin_files 0
>>>>>>> emulator: registered 'boot-properties' qemud service
>>>>>>> emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
>>>>>>> emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
>>>>>>> emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>>>>>>> loading
>>>>>>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so
>>>>>>> Initializing plugin asidstory
>>>>>>> panda_require: osi
>>>>>>> loading
>>>>>>> /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_osi.so
>>>>>>> Success
>>>>>>> Success
>>>>>>> goldfish_add_device: goldfish_device_bus, base ff001000 1000, irq 1 1
>>>>>>> goldfish_device_bus: ff001000     30
>>>>>>> goldfish_add_device: goldfish_int, base ff000000 1000, irq 0 0
>>>>>>> goldfish_int: ff000000     38
>>>>>>> goldfish_add_device: goldfish_timer, base ff003000 1000, irq 3 1
>>>>>>> goldfish_timer: ff003000     40
>>>>>>> goldfish_add_device: goldfish_rtc, base ff010000 1000, irq 10 1
>>>>>>> goldfish_rtc: ff010000     48
>>>>>>> goldfish_add_device: goldfish_tty, base ff002000 1000, irq 4 1
>>>>>>> goldfish_tty: ff002000     50
>>>>>>> android_arm_init serial 1 0
>>>>>>> android_arm_init serial 2 0
>>>>>>> android_arm_init serial 3 0
>>>>>>> goldfish_add_device: smc91x, base ff011000 1000, irq 11 1
>>>>>>> goldfish_add_device: goldfish_fb, base ff012000 1000, irq 12 1
>>>>>>> goldfish_fb: ff012000     68
>>>>>>> Using tmpfile for SD card: /tmp/android-shentanli/emulator-pQEpMo
>>>>>>> goldfish_add_device: goldfish_mmc, base ff005000 1000, irq 13 1
>>>>>>> goldfish_mmc: ff005000     70
>>>>>>> goldfish_add_device: goldfish_memlog, base ff006000 1000, irq 0 0
>>>>>>> goldfish_memlog: ff006000     78
>>>>>>> goldfish_add_device: goldfish-battery, base ff013000 1000, irq 14 1
>>>>>>> goldfish-battery: ff013000     80
>>>>>>> goldfish_add_device: goldfish_events, base ff014000 1000, irq 15 1
>>>>>>> goldfish_events: ff014000     88
>>>>>>> Using event IRQ
>>>>>>> Invalid system partition size for non-QCOW image: 0emulator:
>>>>>>> geometry says there are 0 blocks
>>>>>>>
>>>>>>> emulator: Dev size of /tmp/android-shentanli/emulator-U4lzIR is 0
>>>>>>>
>>>>>>> Invalid data partition size for non-QCOW image: 0emulator: Dev size
>>>>>>> 0x0 came from argument
>>>>>>>
>>>>>>> emulator: geometry says there are 0 blocks
>>>>>>>
>>>>>>> emulator: Dev size of /tmp/android-shentanli/emulator-DAYKEk is 0
>>>>>>>
>>>>>>> emulator: Dev size 0x0 came from argument
>>>>>>>
>>>>>>> emulator: geometry says there are 0 blocks
>>>>>>>
>>>>>>> emulator: Dev size of /tmp/android-shentanli/emulator-KUsYAN is 0
>>>>>>>
>>>>>>> goldfish_add_device: goldfish_nand, base ff015000 1000, irq 16 1
>>>>>>> goldfish_nand: ff015000     90
>>>>>>> goldfish_add_device: qemu_pipe, base ff016000 2000, irq 17 1
>>>>>>> qemu_pipe: ff016000     98
>>>>>>> emulator: control console listening on port 5554, ADB on port 5555
>>>>>>> emulator: can't connect to ADB server: Connection refused
>>>>>>> emulator: Realistic sensor emulation is not available, since the
>>>>>>> remote controller is not accessible:
>>>>>>>  Connection refused
>>>>>>> loading snapshot
>>>>>>> emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'
>>>>>>> emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'
>>>>>>> emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'
>>>>>>> ... done.
>>>>>>>
>>>>>>> Logging all cpu states
>>>>>>> CPU #0:
>>>>>>> R00=0000002f R01=a7d24020 R02=b6ee030c R03=b5312114
>>>>>>> R04=a7bd4908 R05=a7d240a0 R06=a7bd4800 R07=000000c5
>>>>>>> R08=b6f13d94 R09=a7d240dc R10=00000000 R11=aefc7980
>>>>>>> R12=a7bd4818 R13=c1ba5ff8 R14=b6ee0318 R15=ffff0008
>>>>>>> PSR=40000093 -Z-- A svc32
>>>>>>> opening nondet log for read :    ./read-256-smaller-rr-nondet.log
>>>>>>> Segmentation fault (core dumped)
>>>>>>>
>>>>>>> *************************************************************************************
>>>>>>>
>>>>>>> and then gdb find this:
>>>>>>>
>>>>>>> ---------------------------------------------------------------------------------------------------------
>>>>>>> Using host libthread_db library
>>>>>>> "/lib/x86_64-linux-gnu/libthread_db.so.1".
>>>>>>> Core was generated by `./qemu-system-arm -m 256 -replay
>>>>>>> read-256-smaller -M android_arm -kernel /dev/n'.
>>>>>>> Program terminated with signal 11, Segmentation fault.
>>>>>>> #0  asidstory_before_block_exec (env=<optimized out>, tb=<optimized
>>>>>>> out>)
>>>>>>>     at asidstory.cpp:207
>>>>>>> 207        if (pid_ok(p->pid)) {
>>>>>>> (gdb) print p->pid
>>>>>>> $1 = 0
>>>>>>>
>>>>>>> ----------------------------------------------------------------------------------------------------------
>>>>>>> the func pid_ok just allows pid>=4 but why?
>>>>>>> [image: 内嵌图片 1]
>>>>>>>
>>>>>>> could you spare some time to check this plugin?
>>>>>>> Thanks!
>>>>>>>
>>>>>>> --
>>>>>>> wait and hope~~
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> wait and hope~~
>>>>>
>>>>
>>
>>
>> --
>> wait and hope~~
>>
>> _______________________________________________
>> panda-users mailing list
>> panda-users at mit.edu
>> http://mailman.mit.edu/mailman/listinfo/panda-users
>>
>>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/7d3e1c14/attachment-0001.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: asidtory.png
Type: image/png
Size: 4134 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/panda-users/attachments/20150423/7d3e1c14/attachment-0001.png

More information about the panda-users mailing list