<div dir="ltr">Hi all,<div><br></div><div>I'm bumping this question because after much digging I really can't find what I'm doing wrong.</div><div>It's very easy to reproduce this problem: just add a new function to "all_windows_prototypes.txt".</div><div><br></div><div>I simply added: NTSTATUS NtUserCreateWindowEx ();</div><div>(and then ran createWindowsPrototypes.py, recreate_all_os_arch.sh, and make)</div><div><br></div><div>The symbol, <span style="font-size:12.8px">ppp_on_NtUserCreateWindowEx_</span><wbr style="font-size:12.8px"><span style="font-size:12.8px">enter_num_cb, seems to come from panda_plugin_plugin.h:</span></div><div><div style=""><span style="font-size:12.8px">--SNIP-LINE-68--</span></div><div style=""><span style="font-size:12.8px">#define PPP_CB_BOILERPLATE(cb_name)<span class="" style="white-space:pre"> </span>\</span></div><div style=""><span style="font-size:12.8px">cb_name##_t ppp_##cb_name##_cb[PPP_MAX_CB];<span class="" style="white-space:pre"> </span>\</span></div><div style=""><span style="font-size:12.8px">int ppp_##cb_name##_num_cb = 0;<span class="" style="white-space:pre"> </span>\</span></div></div><div style=""><span style="font-size:12.8px">--SNIP--</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px">PPP_CB_BOILERPLATE is indeed called from:</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px">panda_plugins/syscalls2/gen_syscall_ppp_boilerplate_return.cpp:</span></div><div style=""><span style="font-size:12.8px">--SNIP--</span></div><div style=""><span style="font-size:12.8px">PPP_CB_BOILERPLATE(on_NtUserCreateWindowEx_return)</span></div><div style=""><span style="font-size:12.8px">--SNIP--</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px">and:</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px">panda_plugins/syscalls2/gen_syscall_ppp_boilerplate_enter.cpp:</span><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px">--SNIP--</span></div><div style=""><span style="font-size:12.8px">PPP_CB_BOILERPLATE(on_NtUserCreateWindowEx_enter)</span><br></div><div style=""><span style="font-size:12.8px">--SNIP--</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px">I'm just not sure how to debug this any further.</span></div><div style=""><span style="font-size:12.8px"><br></span></div><div style=""><span style="font-size:12.8px">Any comments very welcome!</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 20 July 2016 at 16:13, Bridgey theGeek <span dir="ltr"><<a href="mailto:bridgeythegeek@gmail.com" target="_blank">bridgeythegeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">All,<div><br></div><div>I'm trying to resolve the following when adding NtUserCreateWindowEx.</div><div><br></div><div>I duplicated the final line of all_windows_prototypes.txt, renaming the function, so the final two lines become:</div><div>NTSTATUS NtQueryLicenseValue (PUNICODE_STRING Name, PULONG Type, PVOID Buffer, ULONG Length, PULONG ReturnedLength);</div><div>NTSTATUS NtUserCreateWindowEx (PUNICODE_STRING Name, PULONG Type, PVOID Buffer, ULONG Length, PULONG ReturnedLength);<br></div><div><br></div><div>Obviously the prototype is wrong, but I just wanted to be able to add the entry and still have syscalls2 compile and run.</div><div><br></div><div>So I then run:</div><div>$ python createWindowsPrototypes.py all_windows_prototypes.txt</div><div>$ ./recreate_all_os_arch.sh</div><div><br></div><div>then:</div><div>$ make</div><div><br></div><div>and everything is fine.</div><div><br></div><div>When I try to run syscalls2 against a Win7SP1x86 replay, PANDA reports:</div><div>Failed to load /path/to/panda_syscalls2.so: /path/to/panda_syscalls2.so: undefined symbol: ppp_on_NtUserCreateWindowEx_<wbr>enter_num_cb</div><div><br></div><div>The "_num_cb" seems wrong..?</div><div><br></div><div>Thank you,</div><div>Adam</div><div><br></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 20 July 2016 at 11:06, Bridgey theGeek <span dir="ltr"><<a href="mailto:bridgeythegeek@gmail.com" target="_blank">bridgeythegeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Brendan. I'm sure you're right: I need to add the prototype.<div>However, this specific issue was the error I was seeing was when it was trying to compile for ARM.</div><div>I needed to add the: #ifdef TARGET_I386 to my code.</div><div><br></div><div>If/when I can prove my prototype I'll definitely make a pull request.</div><div><br></div><div>Thanks again,</div><div>Adam</div></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On 19 July 2016 at 22:39, Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I think the issue is that we don't have a prototype for<br>
NtUserCreateWindowEx, which means syscalls2 doesn't have a callback<br>
for it. If you know the prototype, you can add it to<br>
panda_plugins/syscalls2/all_<wbr>windows_prototypes.txt, run<br>
createWindowsPrototypes.py, and then run recreate_all_os_arch.sh and<br>
it will add the appropriate callback.<br>
<br>
At that point (assuming everything works), it would be great if you<br>
created a pull request so that others can benefit as well!<br>
<br>
-Brendan<br>
<div><div><br>
On Tue, Jul 19, 2016 at 5:33 PM, Bridgey theGeek<br>
<<a href="mailto:bridgeythegeek@gmail.com" target="_blank">bridgeythegeek@gmail.com</a>> wrote:<br>
> Hi PANDAs,<br>
><br>
> I'm trying to write a plugin to use alongside syscalls2 to handle<br>
> NtUserCreateWindowEx.<br>
><br>
> In the panda_plugins folder I've created a folder called 'usercreatewin'.<br>
> In that folder I have usercreatewin.cpp and Makefile.<br>
> I've added 'usercreatewin' to config.panda.<br>
><br>
> My init function looks like this:<br>
> bool init_plugin(void *self) {<br>
> PPP_REG_CB("syscalls2", on_NtUserCreateWindowEx_enter,<br>
> my_NtUserCreateWindowEx_enter)<wbr>;<br>
> return true;<br>
> }<br>
><br>
> The corresponding 'my_NtUserCreateWindowEx_<wbr>enter' function is in my cpp file<br>
> as well.<br>
><br>
> When I issue 'make' I get:<br>
> --SNIP--<br>
> make[2]: Nothing to be done for 'all'.<br>
> CXX<br>
> /home/btg/src/panda/qemu/x86_<wbr>64-softmmu/panda_plugins/<wbr>usercreatewin.o<br>
> In file included from usercreatewin.cpp:5:0:<br>
> usercreatewin.cpp: In function ‘bool init_plugin(void*)’:<br>
> usercreatewin.cpp:29:29: error: ‘on_NtUserCreateWindowEx_<wbr>enter_t’ was not<br>
> declared in this scope<br>
> PPP_REG_CB("syscalls2", on_NtUserCreateWindowEx_enter,<br>
> my_NtUserCreateWindowEx_enter)<wbr>;<br>
> ^<br>
> /home/btg/src/panda/qemu/<wbr>panda_plugin_plugin.h:120:20: note: in definition<br>
> of macro ‘PPP_REG_CB’<br>
> void (*add_cb)(cb_name##_t fptr) = (void (*)(cb_name##_t)) dlsym(op,<br>
> "ppp_add_cb_" #cb_name); \<br>
> ^<br>
> /home/btg/src/panda/qemu/<wbr>panda_plugin_plugin.h:120:38: error: expected ‘,’<br>
> or ‘;’ before ‘=’ token<br>
> void (*add_cb)(cb_name##_t fptr) = (void (*)(cb_name##_t)) dlsym(op,<br>
> "ppp_add_cb_" #cb_name); \<br>
> ^<br>
> usercreatewin.cpp:29:5: note: in expansion of macro ‘PPP_REG_CB’<br>
> PPP_REG_CB("syscalls2", on_NtUserCreateWindowEx_enter,<br>
> my_NtUserCreateWindowEx_enter)<wbr>;<br>
> ^<br>
> /home/btg/src/panda/qemu/<wbr>panda_plugin_plugin.h:122:20: error: ‘add_cb’<br>
> cannot be used as a function<br>
> add_cb (cb_func); \<br>
> ^<br>
> usercreatewin.cpp:29:5: note: in expansion of macro ‘PPP_REG_CB’<br>
> PPP_REG_CB("syscalls2", on_NtUserCreateWindowEx_enter,<br>
> my_NtUserCreateWindowEx_enter)<wbr>;<br>
> ^<br>
> ../panda.mak:42: recipe for target<br>
> '/home/btg/src/panda/qemu/x86_<wbr>64-softmmu/panda_plugins/<wbr>usercreatewin.o'<br>
> failed<br>
> --SNIP--<br>
><br>
> It feels like I've forgotten something. Any help gratefully received!<br>
><br>
> Thanks,<br>
> Adam<br>
><br>
</div></div>> ______________________________<wbr>_________________<br>
> panda-users mailing list<br>
> <a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/panda-users</a><br>
><br>
<span><font color="#888888"><br>
<br>
<br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>