<div dir="ltr"><div>Thanks for the replies.</div><div><br></div><div>My Goal is to get 'the mybin.exe's execution trace log' like the PIN tool trace log.</div><div><br></div><div>ex) 0x804826 mov eax, ebx (eax = 0x10101010 , ebx = 0x20202020)</div><div> 0x804828 mov ebx, ecx (eax = 0x20202020 , ebx = 0x20202020, ecx = 0x30303030)</div><div> ...</div><div><br></div><div><br></div><div>First, I need the mybin.exe's execution flow(opcode).</div><div><br></div><div>1) when I tried to get opcode from env->eipv(PANDA_CB_INSN_EXEC), it seems to be translated by the PANDA.</div><div>2) So, I tried to get opcode from pc (PANDA_CB_INSN_TRANSLATE) as told @Igor.</div><div>but it's results are same.</div><div><br></div><div>I made a plugin to test with following code.</div><div><br></div><div>// only pid == target_pid</div><div>if (get_pid(env,eproc) == 0x73c){</div><div> unsigned char buf[20] = {0,};</div><div> if (types == 1){ </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>// if called from PANDA_CB_INSN_TRANSLATE</div><div> fprintf(plugin_log, "[T] ");</div><div> panda_virtual_memory_rw(env, pc, buf, 20, 0);</div><div> }else{ </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>// if called from PANDA_CB_INSN_EXEC</div><div> fprintf(plugin_log, "[E] ");</div><div> panda_virtual_memory_rw(env, env->eip, buf, 20, 0);</div><div> }</div><div><br></div><div> //calc instruction length</div><div> int inst_len = 0;</div><div> inst_len = InstructionLength((BYTE*) buf);</div><div> panda_disas(plugin_log, buf, inst_len);</div><div> if(inst_len > 0){</div><div> fprintf(plugin_log, "opcode = 0x%02x", buf[0]);</div><div> if(inst_len > 1){</div><div> int k;</div><div> for(k = 1; k < inst_len; k++){</div><div> fprintf(plugin_log, "%02x", buf[k]);</div><div> }</div><div> }</div><div> fprintf(plugin_log, "\n");</div><div> }</div><div> fprintf(plugin_log, "PC = " TARGET_FMT_lx " EIP = " TARGET_FMT_lx " EAX = " TARGET_FMT_lx "... \n", pc, env->eip, env->regs[R_EAX]...);</div><div><br></div><div><br></div><div><br></div><div>and result is</div><div><br></div><div>[T] 0x7f9383cc0640: mov 0xa8(%rsi),%eax</div><div>opcode = 0x8b86a8000000</div><div>PC = 77d075f3 EIP = 77d075f3 EAX = 005fc8b8 EDI = 00000001 EBP = 0012fea8 ESP = 0012fe7c</div><div>[T] 0x7f9383cc0640: cmp %ebx,%eax</div><div>opcode = 0x3bc3</div><div>PC = 77d075f9 EIP = 77d075f3 EAX = 005fc8b8 EDI = 00000001 EBP = 0012fea8 ESP = 0012fe7c</div><div>[T] 0x7f9383cc0640: je 0x7f9383cc06a0</div><div>opcode = 0x745e</div><div>PC = 77d075fb EIP = 77d075f3 EAX = 005fc8b8 EDI = 00000001 EBP = 0012fea8 ESP = 0012fe7c</div><div>[E] 0x7f9383cc0670: mov 0xa8(%rsi),%eax</div><div>opcode = 0x8b86a8000000</div><div>PC = 77d075f3 EIP = 77d075f3 EAX = 005fc8b8 EDI = 00000001 EBP = 0012fea8 ESP = 0012fe7c</div><div>[E] 0x7f9383cc0670: cmp %ebx,%eax</div><div>opcode = 0x3bc3</div><div>PC = 77d075f9 EIP = 77d075f9 EAX = 00144d6c EDI = 00000001 EBP = 0012fea8 ESP = 0012fe7c</div><div>[E] 0x7f9383cc0670: je 0x7f9383cc06d0</div><div>opcode = 0x745e</div><div>PC = 77d075fb EIP = 77d075fb EAX = 00144d6c EDI = 00000001 EBP = 0012fea8 ESP = 0012fe7c</div><div><br></div><div>As you can see, PANDA_CB_INSN_TRANSLATE' opcode and PANDA_CB_INSN_EXEC's opcode is same.</div><div><br></div><div>I think the result is binary execution flow on guest machine, so I compare the result with original binary code(mybin.exe).</div><div>but it seems to be not matched.</div><div>I don't know why it is not matched. Is somthing wrong? How can i get the original execution flow?</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-08-18 2:03 GMT+09:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">"pc" and env->eip can be different! QEMU typically only updates<br>
env->eip every basic block. The insn_exec callback will provide the<br>
precise program counter value as its argument though (it stores it at<br>
translation time so it can be passed in).<br>
<br>
Manolis is right that this won't give you the original binary back.<br>
One thing you can do is take a memory snapshot during replay and then<br>
use Volatility to extract the binary image from memory. This will<br>
preserve the headers, data sections, etc. However, depending on the<br>
amount of RAM available, some pages might be swapped out.<br>
<br>
If what you're looking to do is just disassemble something, you can<br>
use the recently added panda_disas function:<br>
<br>
void panda_disas(FILE *out, void *code, unsigned long size)<br>
<br>
Alternatively, if you want to have some machine-parseable description<br>
of the disassembled instruction, you can use distorm; an example of<br>
that can be found in the callstack_instr plugin.<br>
<span class="HOEnZb"><font color="#888888"><br>
-Brendan<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On Mon, Aug 17, 2015 at 9:08 AM, Manolis Stamatogiannakis<br>
<<a href="mailto:mstamat@gmail.com">mstamat@gmail.com</a>> wrote:<br>
> Igor, are you sure that the "pc" argument and "env->eip" will contain<br>
> different arguments? I'd guess that "pc" is provided as convenience so that<br>
> you can avoid architecture-specific #ifdef macros in your plugin code<br>
> ("env->eip" is x86 specific).<br>
><br>
> InGap, could you elaborate on what you attempt to achieve?<br>
><br>
> Reconstructing mybin.exe from an execution trace is a non-trivial task. Even<br>
> in the (unlikely) case you have full coverage of mybin.exe in the execution<br>
> trace (i.e. every instruction in mybin.exe was executed at least once), the<br>
> order of the instructions as executed still may be different than the order<br>
> they appear in the binary. Moreover, executables are not plain instruction<br>
> dumps. They contain a lot of structured information (see<br>
> <a href="https://en.wikipedia.org/wiki/Portable_Executable" rel="noreferrer" target="_blank">https://en.wikipedia.org/wiki/Portable_Executable</a>) that you will not be able<br>
> to recapture just by observing the execution.<br>
><br>
> M.<br>
><br>
><br>
><br>
> 2015-08-17 8:33 GMT+02:00 Igor R <<a href="mailto:boost.lists@gmail.com">boost.lists@gmail.com</a>>:<br>
>><br>
>> > I trying to get the "mybin.exe'' 's original assembly code(opcode) in<br>
>> > the PANDA plugin.<br>
>> > (for tracing binary's opcode, registers, memory ..)<br>
>> ><br>
>> > Host OS : ubuntu x64<br>
>> > Guest OS : windows xp x86<br>
>> > Test binary : mybin.exe<br>
>> ><br>
>> > I got the opcode using panda_virtual_memory_rw function at<br>
>> > PANDA_CB_INSN_TRANSLATE.<br>
>> > ex) panda_virtual_memory_rw(env, env->eip, buf, 20, 0);<br>
>> ><br>
>> > but, It is not same as original assembly code('mybin.exe').<br>
>> > It seems to be translated by the PANDA.<br>
>><br>
>><br>
>><br>
>> Quoting from the documentation:<br>
>> <<<br>
>> insn_translate: called before the translation of each instruction<br>
>><br>
>> Callback ID: PANDA_CB_INSN_TRANSLATE<br>
>><br>
>> Arguments:<br>
>><br>
>> CPUState *env: the current CPU state<br>
>> target_ulong pc: the guest PC we are about to translate<br>
>> >><br>
>><br>
>> So, if you need the opcode of the instruction being translated, you<br>
>> should read the memory from "pc" address (rather than env->ip).<br>
>> _______________________________________________<br>
>> panda-users mailing list<br>
>> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
>> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br>
_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
</div></div></blockquote></div><br></div>