<div dir="ltr"><div><div><div>I'm not familiar with using PANDA for Android analysis, but I remember that the older linux_vmi plugin suggested to piggyback the offset extraction code in the init function of one of the modules of the goldfish kernel which are loaded by default.<br><br>An example from their old code is commented at the end of DECAF_linux_vmi.c:<br></div></div><a href="https://github.com/moyix/panda/blob/master/qemu/panda_plugins/linux_vmi/DECAF_linux_vmi.c#L806">https://github.com/moyix/panda/blob/master/qemu/panda_plugins/linux_vmi/DECAF_linux_vmi.c#L806</a><br><br></div>M.<br><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-23 8:32 GMT-07:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Asidstory requires the OSI plugin to get information about the guest OS. Since you're running this on Android, which is Linux-based, you would want to use a command line like:<div><br></div><div>-panda 'osi_linux;osi;asidstory'</div><div><br></div><div>The osi_linux plugin needs a configuration file that specifies the offsets of various kernel data structure members. You can see an example here:</div><div><br></div><div><a href="https://github.com/moyix/panda/blob/master/qemu/panda_plugins/osi_linux/kernelinfo.conf" target="_blank">https://github.com/moyix/panda/blob/master/qemu/panda_plugins/osi_linux/kernelinfo.conf</a></div><div><br></div><div>Unfortunately getting this information for Android is tricky – the usual way is to load a kernel module that prints out the offsets for you. It is possible you can use some of the steps from Volatility's Android code to help out here, but there will be some extra work involved in getting the information in a form usable by osi_linux.</div><div><br></div><div><a href="https://github.com/volatilityfoundation/volatility/wiki/Android#build-a-volatility-profile" target="_blank">https://github.com/volatilityfoundation/volatility/wiki/Android#build-a-volatility-profile</a><br></div><div><br></div><div>Hope this helps,</div><div>Brendan</div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Thu, Apr 23, 2015 at 3:33 AM, xiaojuan Li <span dir="ltr"><<a href="mailto:xiaotan6666@gmail.com" target="_blank">xiaotan6666@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><div dir="ltr"><div><div>Thanks.<br></div>i noticed the note in asidstory.cpp:"collect the set of asids (cr3 on x86)..."<br></div>but now that PANDA uses qemu and do something to extend, it seems can translate micro ops to llvm, why replay android failed?<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-23 3:24 GMT-04:00 Aleksandar Nikolich <span dir="ltr"><<a href="mailto:anikolich@sourcefire.com" target="_blank">anikolich@sourcefire.com</a>></span>:<div><div><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font size="2"><span style="background-color:rgba(255,255,255,0)">Ah, I missed that you were trying to replay android <span></span>. AFAIK asidstory requires a suitable os introspection plugin.</span></font><div><div><br><br>On Thursday, April 23, 2015, Aleksandar Nikolich <<a href="mailto:anikolich@sourcefire.com" target="_blank">anikolich@sourcefire.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Ah, I missed that you were trying to replay absurd. AFAIK asidstory requires a suitable os introspection plugin.<br><br>On Thursday, April 23, 2015, xiaojuan Li <<a>xiaotan6666@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Thanks first!<br></div>the thing is i use the qemu-system-arm to replay,and i add the "win7x86intro" plugin, it does not work.(still segfault)<br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-04-23 3:12 GMT-04:00 Aleksandar Nikolich <span dir="ltr"><<a>anikolich@sourcefire.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You need to add "win7x86intro" plug-in too and it should work.<div><div><br><br>On Thursday, April 23, 2015, xiaojuan Li <<a>xiaotan6666@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><br clear="all"></div>Hi,<br></div>I tried the asidstory plugin: -replay ******* -panda 'asidstory'<br></div>and then segfault:<br>************************************************************************************<br>adding /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so to panda_plugin_files 0<br>emulator: registered 'boot-properties' qemud service<br>emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'<br>emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'<br>emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'<br>loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_asidstory.so<br>Initializing plugin asidstory<br>panda_require: osi<br>loading /home/shentanli/pandanew/qemu/arm-softmmu/panda_plugins/panda_osi.so<br>Success<br>Success<br>goldfish_add_device: goldfish_device_bus, base ff001000 1000, irq 1 1<br>goldfish_device_bus: ff001000 30<br>goldfish_add_device: goldfish_int, base ff000000 1000, irq 0 0<br>goldfish_int: ff000000 38<br>goldfish_add_device: goldfish_timer, base ff003000 1000, irq 3 1<br>goldfish_timer: ff003000 40<br>goldfish_add_device: goldfish_rtc, base ff010000 1000, irq 10 1<br>goldfish_rtc: ff010000 48<br>goldfish_add_device: goldfish_tty, base ff002000 1000, irq 4 1<br>goldfish_tty: ff002000 50<br>android_arm_init serial 1 0<br>android_arm_init serial 2 0<br>android_arm_init serial 3 0<br>goldfish_add_device: smc91x, base ff011000 1000, irq 11 1<br>goldfish_add_device: goldfish_fb, base ff012000 1000, irq 12 1<br>goldfish_fb: ff012000 68<br>Using tmpfile for SD card: /tmp/android-shentanli/emulator-pQEpMo<br>goldfish_add_device: goldfish_mmc, base ff005000 1000, irq 13 1<br>goldfish_mmc: ff005000 70<br>goldfish_add_device: goldfish_memlog, base ff006000 1000, irq 0 0<br>goldfish_memlog: ff006000 78<br>goldfish_add_device: goldfish-battery, base ff013000 1000, irq 14 1<br>goldfish-battery: ff013000 80<br>goldfish_add_device: goldfish_events, base ff014000 1000, irq 15 1<br>goldfish_events: ff014000 88<br>Using event IRQ<br>Invalid system partition size for non-QCOW image: 0emulator: geometry says there are 0 blocks<br><br>emulator: Dev size of /tmp/android-shentanli/emulator-U4lzIR is 0<br><br>Invalid data partition size for non-QCOW image: 0emulator: Dev size 0x0 came from argument<br><br>emulator: geometry says there are 0 blocks<br><br>emulator: Dev size of /tmp/android-shentanli/emulator-DAYKEk is 0<br><br>emulator: Dev size 0x0 came from argument<br><br>emulator: geometry says there are 0 blocks<br><br>emulator: Dev size of /tmp/android-shentanli/emulator-KUsYAN is 0<br><br>goldfish_add_device: goldfish_nand, base ff015000 1000, irq 16 1<br>goldfish_nand: ff015000 90<br>goldfish_add_device: qemu_pipe, base ff016000 2000, irq 17 1<br>qemu_pipe: ff016000 98<br>emulator: control console listening on port 5554, ADB on port 5555<br>emulator: can't connect to ADB server: Connection refused<br>emulator: Realistic sensor emulation is not available, since the remote controller is not accessible:<br> Connection refused<br>loading snapshot<br>emulator: Adding boot property: 'dalvik.vm.heapsize' = '48m'<br>emulator: Adding boot property: 'qemu.sf.fake_camera' = 'both'<br>emulator: Adding boot property: 'qemu.hw.mainkeys' = '0'<br>... done.<br><br>Logging all cpu states<br>CPU #0:<br>R00=0000002f R01=a7d24020 R02=b6ee030c R03=b5312114<br>R04=a7bd4908 R05=a7d240a0 R06=a7bd4800 R07=000000c5<br>R08=b6f13d94 R09=a7d240dc R10=00000000 R11=aefc7980<br>R12=a7bd4818 R13=c1ba5ff8 R14=b6ee0318 R15=ffff0008<br>PSR=40000093 -Z-- A svc32<br>opening nondet log for read : ./read-256-smaller-rr-nondet.log<br>Segmentation fault (core dumped)<br>*************************************************************************************<br><br></div>and then gdb find this:<br>---------------------------------------------------------------------------------------------------------<br>Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".<br>Core was generated by `./qemu-system-arm -m 256 -replay read-256-smaller -M android_arm -kernel /dev/n'.<br>Program terminated with signal 11, Segmentation fault.<br>#0 asidstory_before_block_exec (env=<optimized out>, tb=<optimized out>)<br> at asidstory.cpp:207<br>207 if (pid_ok(p->pid)) {<br>(gdb) print p->pid<br>$1 = 0<br>----------------------------------------------------------------------------------------------------------<br></div><div>the func pid_ok just allows pid>=4 but why?<br></div><div><img alt="内嵌图片 1" src="cid:ii_14ce433de788efb7" height="110" width="180"><br></div><div><br></div>could you spare some time to check this plugin?<br><div>Thanks!<br></div><div><div><br><div><div><div><div>-- <br><div><div dir="ltr">wait and hope~~</div></div>
</div></div></div></div></div></div></div>
</blockquote>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div><div dir="ltr">wait and hope~~</div></div>
</div>
</blockquote>
</blockquote>
</div></div></blockquote></div></div></div><span><font color="#888888"><br><br clear="all"><br>-- <br><div><div dir="ltr">wait and hope~~</div></div>
</font></span></div>
<br></div></div>_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
<br></blockquote></div><br></div></div>
<br>_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
<br></blockquote></div><br></div>