<div dir="ltr">Unfortunately the new version is unlikely to ever be able to replay old recordings; too much in QEMU has changed, most notably the underlying default machine model (and hence the set of devices included in the snapshot). We also took the opportunity to change some of the record/replay log entry types to better match QEMU's new memory API.<div><br></div><div>It is frustrating, since we have 91,000 malware recordings now and it would be cool to use them in panda2, but for now malware-related work has to use panda1. I will be switching malrec over to panda2 as soon as I have some free time, though.</div><div><br></div><div>-Brendan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 31, 2017 at 4:50 AM, <span dir="ltr"><<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello everyone,<br>
<br>
I am writing a plugin for the new version of panda<br>
(<a href="https://github.com/panda-re/panda" rel="noreferrer" target="_blank">https://github.com/panda-re/<wbr>panda</a>) and I would like to test it with<br>
several malware records that can be found here:<br>
<a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/</a><br>
<br>
I followed the guidelines explained here:<br>
<a href="https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/" rel="noreferrer" target="_blank">https://irfanulhaq.info/2015/<wbr>12/09/replay-panda-malware-<wbr>recordings/</a><br>
but I'm having troubles in starting the replays.<br>
<br>
When I try to execute one of those records I get the following error message:<br>
$> ~/panda2/x86_64-softmmu/qemu-<wbr>system-x86_64 -replay<br>
~/replays/malrec/logs/rr/<wbr>bb67fd7e-7baa-437d-9333-<wbr>9999b15f5fde<br>
> loading snapshot<br>
> qemu-system-x86_64: Unsupported migration stream version<br>
> Failed to load vmstate<br>
> Failed to start replay<br>
<br>
If I understood it properly, the 'problem' of those records is that<br>
they have been recorded starting from one of the snapshots that can be<br>
found here: <a href="http://panda.gtisc.gatech.edu/malrec/rr/references/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/rr/references/</a><br>
<br>
These snapshots were taken using the old version of panda<br>
(<a href="https://github.com/moyix/panda" rel="noreferrer" target="_blank">https://github.com/moyix/<wbr>panda</a>).<br>
<br>
By analyzing the code of the new panda (include/migration/migration.<wbr>h)<br>
I saw that there's the following line:<br>
#define QEMU_VM_FILE_VERSION 0x00000003<br>
which is different from what was declared in the old panda (qemu/savevm.c):<br>
#define QEMU_VM_SECTION_FULL 0x04<br>
<br>
That difference is causing the error I am getting and I may infer<br>
there are other differences between the two versions (for what<br>
concerns the procedure of saving a snapshot).<br>
<br>
My question is, since the two versions of panda take snapshots in<br>
different ways (they write different metadata I guess), is there a way<br>
to replay records (from <a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/</a>) with<br>
the new version of panda?<br>
<br>
Or, is it possible to 'patch' the vm snapshots (from<br>
<a href="http://panda.gtisc.gatech.edu/malrec/rr/references/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/rr/references/</a>) to make them work<br>
with the new version of panda?<br>
<br>
Thank you in advance for any suggestions you may have!<br>
samaicardi<br>
<br>
------------------------------<wbr>------------------------------<wbr>-------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
<br>
______________________________<wbr>_________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/panda-users</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>
</div>