<div dir="ltr">Hi,<br><br><div>I extracted the parameters from the OS kernel that I want introspect.<br><br>The parameters are these:</div><div><br></div><div><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.872169] --KERNELINFO-BEGIN--</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873067] name = #1 SMP Debian 3.2.65-1+deb7u2 i686</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873114] task.size = 1060</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873249] #task.init_addr = 0xC13E2FE0</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873279] task.init_addr = 3242078176</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873310] task.task_offset = 0</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873356] task.tasks_offset = 212</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873394] task.pid_offset = 292</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873420] task.tgid_offset = 296</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873447] task.group_leader_offset = 328</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873475] task.thread_group_offset = 384</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873504] task.real_parent_offset = 304</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873532] task.parent_offset = 308</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873559] task.mm_offset = 240</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873586] task.stack_offset = 4</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873615] task.real_cred_offset = 504</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873642] task.cred_offset = 508</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873668] task.comm_offset = 516</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873693] task.comm_size = 16</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873722] cred.uid_offset = 4</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873749] cred.gid_offset = 8</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873774] cred.euid_offset = 20</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873813] cred.egid_offset = 24</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873842] mm.mmap_offset = 0</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873867] mm.pgd_offset = 36</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873901] mm.arg_start_offset = 152</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.873970] mm.start_brk_offset = 140</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874004] mm.brk_offset = 144</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874032] mm.start_stack_offset = 148</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874078] vma.vm_mm_offset = 0</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874104] vma.vm_start_offset = 4</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874133] vma.vm_end_offset = 8</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874161] vma.vm_next_offset = 12</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874187] vma.vm_flags_offset = 28</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874215] vma.vm_file_offset = 80</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874242] fs.f_dentry_offset = 12</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874268] fs.f_path_offset = 8</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874293] fs.d_name_offset = 20</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874320] fs.d_iname_offset = 36</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874347] fs.d_parent_offset = 16</span><br style="font-size:13.1999998092651px;line-height:19.7999992370605px"><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Apr 14 22:38:24 polictf kernel: [ 3533.874369] ---KERNELINFO-END---</span><br></div><div><span style="font-size:13.1999998092651px;line-height:19.7999992370605px"><br></span></div><div><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">At this point, if I am not wrong, I have to edit the kernelinfo.conf file with the new parameters. It is right or there are other things to do?<br></span></div><div><span style="font-size:13.1999998092651px;line-height:19.7999992370605px"><br></span></div><div><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">Thanks.</span></div><div><span style="font-size:13.1999998092651px;line-height:19.7999992370605px"><br></span></div><div><span style="font-size:13.1999998092651px;line-height:19.7999992370605px">- SimoneĀ </span></div><br><div class="gmail_quote">Il giorno mer 15 apr 2015 alle ore 20:41 Manolis Stamatogiannakis <<a href="mailto:mstamat@gmail.com" target="_blank">mstamat@gmail.com</a>> ha scritto:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>When you run the plugin, kernelinfo.conf must exist in your current directory. So just soft-link it from the source directory of the plugin.<br></div><br></div><div>In your case however, the stock kernelinfo.conf won't work because it currently contains only information for the 32bit kernel used by debian stable.<br></div><div>So you have to compile the kernelinfo module in a guest running (ideally) the same kernel you want to introspect.<br></div><div>Then insert it into the kernel (insertion always fails) and use the supplied python script to extract the offsets for that kernel.<br><br></div><div>The offsets should then be appended to kernelinfo.conf. Also make a pull request for the updated kernelinfo.conf when you do this.<br></div><div><br></div><div>IIRC, the kernelinfo module had some glitches which prevented it from compiling in recent kernels (e.g. 3.20). So if you encounter any problems, drop me an email so that I expedit making a pull request for the fixed version.<br><br></div><div>Cheers,<br></div><div>M.<br></div><div><br><br><br></div><div><br></div>M.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-15 8:26 GMT-07:00 Simone Mazzoni <span dir="ltr"><<a href="mailto:simone.mazzoni13@gmail.com" target="_blank">simone.mazzoni13@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"></blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I tried to use the osi_linux plugin to get the current process in execution but it seems not to work.</div><div>I tried to execute panda with -panda 'osi;osi_linux;osi_test' but it gives me the following error:</div><div><br></div><div><img style="max-width:100%" src="cid:14cbdadbeca65b51b781"><br></div><div>Any idea of the reason?<br><br>I noticed see that the plugin contain a "utils/kernelinfo" folder that should contain a script or something to extract the correct offset of the running kernel, but I do not understand how to use it.</div><div><br></div><div>I tried running the osi_test on an Debian SO and on a Ubuntu 14.04 SO.</div><div><br></div><div>Thanks for the help.</div><span><font color="#888888"><div><br></div><div>- SimoneĀ </div></font></span></div>
<br></blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
<br></blockquote></div><br></div>
</blockquote></div></div>