<div dir="ltr">Awesome! Thanks Brendan =)<div><br></div><div>To avoid a denvercoder9* situation, here's how I did it:<br></div><div><br></div><div>$ ~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda osi -panda win7x86intro -panda asidstory -m 2048 >/dev/null</div><div>(The output to /dev/null is just to speed it up a little; I'm going to review the output later anyway.)</div><div><br></div><div>In a different terminal, I watched the progress of this operation with:</div><div>$ watch tail asidstory</div><div><br></div><div>Once it'd finished:</div><div><div>$ grep Count asidstory && grep notepad asidstory </div><div> Count Pid Name Asid First Last</div><div> 1136 2392 notepad 7f8f72c0 373716596 -> 1741620197</div><div> notepad : [ ######## # # # ## # # # # ### ##### # #### ###### ##]</div></div><div><br></div><div>So my Asid is: 7f8f72c0</div><div><br></div><div>I'm monitoring at offset 0x30e108, for 576 (0x240) bytes in the Asid found above:</div><div>$ echo 30e108 240 7f8f72c0 >search_buffers.txt</div><div><br></div><div>Then run bufmon:</div><div>$ ~/panda/qemu/x86_64-softmmu/qemu-system-x86_64 -replay notepad -panda callstack_instr -panda bufmon -m 2048</div><div><br></div><div>And finally,</div><div>$ head -1 buffer_taps.txt</div><div>WRITE 416590000 0000000077845d5a 0000000077846600 000000007f8f72c0 000000000030e107 0000000000000001 00</div><div><br></div><div>Thanks,<br></div><div>Adam</div><div><br></div><div>* <a href="https://xkcd.com/979/">https://xkcd.com/979/</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 21 May 2016 at 16:20, Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Sure, have a look at bufmon:<br>
<br>
<a href="https://github.com/moyix/panda/blob/master/qemu/panda_plugins/bufmon/USAGE.md" rel="noreferrer" target="_blank">https://github.com/moyix/panda/blob/master/qemu/panda_plugins/bufmon/USAGE.md</a><br>
<br>
You will need to know how to get the address space identifier (i.e.<br>
CR3) of the process you're interested in, though. Something like<br>
asidstory can help with that.<br>
<br>
-Brendan<br>
<div><div class="h5"><br>
On Sat, May 21, 2016 at 5:09 PM, Bridgey theGeek<br>
<<a href="mailto:bridgeythegeek@gmail.com">bridgeythegeek@gmail.com</a>> wrote:<br>
> Hi PANDAs,<br>
><br>
> I'm trying to come up with a process where I can observe the changes to a<br>
> specific virtual address range of a specific process's memory.<br>
><br>
> For example: In Win7SP1x86, I have process app.exe with a pid of 1200, and I<br>
> want to see what changes in the 512 byte range from 0x005e0000 to 0x005e01ff<br>
> of that process's virtual memory during the recording I made.<br>
><br>
> I've read around tapindex/memdump, but that doesn't seem to quite do what I<br>
> want.<br>
> memsavep and memsnap aren't quite right either.<br>
><br>
> Is there a way of doing this with PANDA? Might I be into the realm of<br>
> writing my own plugin?<br>
><br>
> Thanks!<br>
> Adam<br>
><br>
</div></div>> _______________________________________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br>
</font></span></blockquote></div><br></div>