<div dir="ltr"><div>Yes, DBI and emulation can be very convenient but ultimately a hardware-based method using JTAG has to be considered.if other methods are not viable.</div><div>Interesting link, I'll have a look.</div><div><br></div><div>Gilles</div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-12-18 15:42 GMT+00:00 Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@gatech.edu" target="_blank">brendandg@gatech.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes; PANDA does not use DBI, but rather emulates the whole system<br>
using QEMU and instruments the code that implements memory accesses in<br>
QEMU. You can find that in softmmu_template.h.<br>
<br>
In theory one could also trace memory accesses in real hardware; some<br>
folks recently did that on an embedded platform:<br>
<br>
<a href="https://www.acsac.org/2015/openconf/modules/request.php?module=oc_program&action=summary.php&id=119" target="_blank" rel="noreferrer">https://www.acsac.org/2015/openconf/modules/request.php?module=oc_program&action=summary.php&id=119</a><br>
<br>
-Brendan<br>
<div><div class="h5"><br>
On Fri, Dec 18, 2015 at 6:43 AM, gilles B <<a href="mailto:gillusg75@gmail.com">gillusg75@gmail.com</a>> wrote:<br>
> I forgot the references:<br>
> [1]<br>
> <a href="https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-papers" target="_blank" rel="noreferrer">https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-papers</a><br>
> [2] <a href="https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-606.pdf" target="_blank" rel="noreferrer">https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-606.pdf</a><br>
><br>
> 2015-12-18 11:42 GMT+00:00 gilles B <<a href="mailto:gillusg75@gmail.com">gillusg75@gmail.com</a>>:<br>
>><br>
>> Hello guys,<br>
>><br>
>> I'm actually trying to understand if the plugin memdump associated with<br>
>> the plugin tapindex implements some kind of instrumentation.<br>
>> This is the case of the PIN tool [1] by example which implements what you<br>
>> call DBI (Dynamic Binary Instrumentation [2]).<br>
>> With PANDA, from a theoretical point of view, it seems that thanks to<br>
>> QEMU, you can just record all the memory activity (memory reads and writes)<br>
>> through emulation without using DBI, is it the case with the plugin memdump?<br>
>> As some programs implement some countermeasures against DBI, then only<br>
>> emulaton frameworks would allow to capture memory traces conveniently. Of<br>
>> course if the program implements some coutnermeasures against emulation in<br>
>> addition of DBI, then it gets difficult.<br>
>> I'm actually studying the code step by step to figure out, but if you can<br>
>> guide me, I would be happy.<br>
>><br>
>> BR,<br>
>><br>
>> Gilles<br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" target="_blank" rel="noreferrer">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br>
</blockquote></div><br></div>