<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;"><div><div><div>Yes grab_files does that. Be careful with it though! I’ve used it on some of your (Brendan’s) malware recordings and all the AV software running on the host goes berserk.</div><div><br></div><div><div><font class="Apple-style-span" color="#000000"><font class="Apple-style-span" face="Calibri">Tim Leek</font></font></div><div>Technical Staff</div><div>Cyber System Assessments</div><div>MIT Lincoln Laboratory</div></div></div></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> <<a href="mailto:panda-users-bounces@mit.edu">panda-users-bounces@mit.edu</a>> on behalf of Manolis Stamatogiannakis <<a href="mailto:mstamat@gmail.com">mstamat@gmail.com</a>><br><span style="font-weight:bold">Date: </span> Friday, July 22, 2016 at 12:41 PM<br><span style="font-weight:bold">To: </span> Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu">brendandg@nyu.edu</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>" <<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a>><br><span style="font-weight:bold">Subject: </span> Re: [panda-users] file recovery plugin<br></div><div><br></div><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div><div dir="ltr">ok. Hopefully I'll find some slot to write it in the next 20 or so days.<br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-07-22 18:22 GMT+02:00 Brendan Dolan-Gavitt <span dir="ltr">
<<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Nice idea. I think win7proc currently does this for Windows<br>
(<a href="https://github.com/moyix/panda/blob/master/qemu/panda_plugins/win7proc/win7proc.cpp#L1652" rel="noreferrer" target="_blank">https://github.com/moyix/panda/blob/master/qemu/panda_plugins/win7proc/win7proc.cpp#L1652</a>),<br>
but a Linux version of it would be great!<br><br>
-Brendan<br><div><div class="h5"><br>
On Fri, Jul 22, 2016 at 12:15 PM, Manolis Stamatogiannakis<br>
<<a href="mailto:mstamat@gmail.com">mstamat@gmail.com</a>> wrote:<br>
> Just wondering,<br>
><br>
> Is there a (best effort) file recovery plugin for PANDA?<br>
><br>
> This could work by "replaying" each write syscall that occurs in the trace<br>
> for a specific guest-fd to a file on the host.<br>
><br>
> OSI for Linux resolves both the filename and the file position of each fd,<br>
> so even random access writes should be recoverable.<br>
><br>
> Thanks,<br>
> M.<br>
><br></div></div>
> _______________________________________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">
http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
><br><span class="HOEnZb"><font color="#888888"><br><br><br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br></font></span></blockquote></div><br></div></div></div></span></body></html>