<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div>Jumping in. nt_user_create_window_ex is a pointer. So it doesn’t need (or get) a has_. Its NULL if it is absent and a valid pointer otherwise. </div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> <<a href="mailto:panda-users-bounces@mit.edu">panda-users-bounces@mit.edu</a>> on behalf of Bridgey theGeek <<a href="mailto:bridgeythegeek@gmail.com">bridgeythegeek@gmail.com</a>><br><span style="font-weight:bold">Date: </span> Sunday, April 24, 2016 at 3:18 PM<br><span style="font-weight:bold">To: </span> Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu">brendandg@nyu.edu</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>" <<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>><br><span style="font-weight:bold">Subject: </span> Re: [panda-users] Logging a new message in win7proc<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><div dir="ltr">Thanks Brendan - that's a great help!
<div><br></div><div>I have some progress. I've added the following to win7proc.proto:</div><div><div>message UserCreateWindowEx {</div><div><span class="" style="white-space:pre"></span>required Process proc = 1;</div><div><span class="" style="white-space:pre"></span>required uint32 id = 2;</div><div>}</div><div>optional UserCreateWindowEx nt_user_create_window_ex = 63;</div></div><div><br></div><div>And build.sh seems happy with that.</div><div><br></div><div>I've added the following to win7proc.cpp:</div><div><div>Panda__UserCreateWindowEx *cw = (Panda__UserCreateWindowEx *) malloc(sizeof(Panda__UserCreateWindowEx));</div><div>// Do I need to initialise cw some how???</div><div>cw->proc = create_panda_process(cur_pid, cur_procname);</div><div>cw->id = 6969;</div><div>Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;<br></div><div>ple.has_nt_user_create_window_ex = 1; // Line 1652</div><div>ple.nt_user_create_window_ex = cw;</div><div>pandalog_write_entry(&ple);</div></div><div><br></div><div>But when I try and build, I get:</div><div>win7proc.cpp:1652:9: error: ‘Panda__LogEntry’ has no member named ‘has_nt_user_create_window_ex’<br></div><div><br></div><div>I thought given nt_user_create_window_ex is optional, the has_ member would, well, magically exist??</div><div><br></div><div>I have tried Google-ing but "has no has" is quite tricky to Google for :(</div><div><br></div><div>Thanks again!</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 24 April 2016 at 16:39, Brendan Dolan-Gavitt <span dir="ltr">
<<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sure! I think what you want is to add a new log entry type. The logs<br>
use protocol buffers to define the structure of each entry type in a<br>
.proto file. So you could edit win7proc.proto and add your new message<br>
type. Then you'd re-run build.sh (which generates C data structures<br>
for the protocol buffers definitions) and you could use your new log<br>
entry type.<br><br>
There are some details on how this stuff works in the manual (though I<br>
just noticed the table of contents doesn't list the top-level section<br>
for some reason):<br><br><a href="https://github.com/moyix/panda/blob/master/docs/manual.md#pandalog" rel="noreferrer" target="_blank">https://github.com/moyix/panda/blob/master/docs/manual.md#pandalog</a><br><br>
-Brendan<br><div><div class="h5"><br>
On Sun, Apr 24, 2016 at 11:18 AM, Bridgey theGeek<br>
<<a href="mailto:bridgeythegeek@gmail.com">bridgeythegeek@gmail.com</a>> wrote:<br>
> Hi PANDAs,<br>
><br>
> I've added the functionality to Syscalls2 so that it now understands<br>
> NtUserCreateWindowEx.<br>
> I'm now trying to add to win7proc so that it's also reported in the log file<br>
> this plugin produces.<br>
><br>
> In win7proc.cpp I've added:<br>
> void w7p_NtUserCreateWindowEx_enter(CPUState* env,<br>
> target_ulong pc,<br>
> uint32_t dwExStyle,<br>
> uint32_t lpClassName,<br>
> uint32_t lpWindowName,<br>
> uint32_t dwStyle,<br>
> int32_t x,<br>
> int32_t y,<br>
> int32_t nWidth,<br>
> int32_t nHeight,<br>
> uint32_t hWndParent,<br>
> uint32_t hInstance,<br>
> target_ulong lpParam) {<br>
> Panda__LogEntry ple = PANDA__LOG_ENTRY__INIT;<br>
> ple.has_nt_any_syscall = 1;<br>
> ple.nt_any_syscall = 6969;<br>
> pandalog_write_entry(&ple);<br>
><br>
> And this works. If I replay with the win7proc plugin, when a window is<br>
> created I see:<br>
> instr=419644049 pc=0x778370b2 : nt_any_syscall (num=6969)<br>
><br>
> Of course what I'd like to be able to report is some helpful metadata like<br>
> the process name, the fact that it's NtUserCreateWindowEx and ideally the<br>
> value of lpClassName and lpWindowName.<br>
><br>
> But I just can't quite follow the logic to see how Panda__LogEntry works.<br>
><br>
> Can somebody give me a quick explanation..?<br>
><br>
> Thank you!<br>
> Bridgey<br>
><br></div></div>
> _______________________________________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">
http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br><span class="HOEnZb"><font color="#888888"><br><br><br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br></font></span></blockquote></div><br></div></div></div></span></body></html>