<div dir="ltr">The vast majority of those recordings are from Windows 7 32-bit, so osi will work on them. They were recorded on an emulated x86_64 machine running in 32-bit mode.</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 4, 2017 at 5:10 AM, <span dir="ltr"><<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thank you for the information, it worked.<br>
<br>
Is it possible to use the 'osi' plugin on those recordings? I've seen the introspection implemented only for windows 32 bit.<br>
<br>
-samaicardi<div class="HOEnZb"><div class="h5"><br>
<br>
Quoting Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The malware recordings use 1GB of RAM, so you need to pass "-m 1G" on the<br>
command line when replaying.<br>
<br>
Also you may want to instead use the panda1 repository found here:<br>
<br>
<a href="https://github.com/moyix/panda" rel="noreferrer" target="_blank">https://github.com/moyix/panda</a><br>
<br>
As I think I've done a couple bugfixes to the old branch since we migrated<br>
the repository to the new version of QEMU.<br>
<br>
-Brendan<br>
<br>
On Thu, Aug 31, 2017 at 11:56 AM, <<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Ok I got it, thanks for the explanation.<br>
<br>
I have another problem actually, I tried to replay several records (from<br>
<a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/</a>) with the qemu-system-x86_64<br>
compiled from the branch called 'panda1' that I found here:<br>
<a href="https://github.com/panda-re/panda/tree/panda1" rel="noreferrer" target="_blank">https://github.com/panda-re/pa<wbr>nda/tree/panda1</a><br>
I always get the following error:<br>
$> ~/panda1/qemu/x86_64-softmmu/q<wbr>emu-system-x86_64 -replay<br>
logs/rr/7d114620-3e3c-4193-96c<wbr>e-4689fd9efde3<br>
<br>
(process:1475): GLib-WARNING **: /build/glib2.0-prJhLS/glib2.0-<wbr>2.48.2/./glib/gmem.c:483:<br>
custom memory allocation vtable not supported<br>
loading snapshot<br>
Block expected 134217728, found 1073741824, total 1082589184, system total<br>
143065088<br>
qemu: warning: error while loading state for instance 0x0 of device 'ram'<br>
qemu-system-x86_64: Error -22 while loading VM state<br>
... done.<br>
opening nondet log for read : logs/rr/7d114620-3e3c-4193-96<br>
ce-4689fd9efde3-rr-nondet.log<br>
Infinite loop detected during replay, aborting.<br>
{guest_instr_count=0 pc=0x0000fff0, secondary=0x00000000}<br>
7d114620-3e3c-4193-96ce-4689fd<wbr>9efde3: 0 ( 0.00%) instrs.<br>
1.00 sec. 0.03 GB ram.<br>
total_instr in replay: <a href="tel:15418486377" value="+15418486377" target="_blank">15418486377</a><br>
ERROR: replay failed!<br>
Time taken was: 0 seconds.<br>
max_queue_len = 1<br>
0 items on recycle list, 0 bytes total<br>
ERROR: replay failed!<br>
Aborted (core dumped)<br>
<br>
Do you possibly know why every record seems to generate an infinite loop?<br>
<br>
Thanks in advance,<br>
samaicardi<br>
<br>
<br>
<br>
Quoting Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>>:<br>
<br>
Unfortunately the new version is unlikely to ever be able to replay old<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
recordings; too much in QEMU has changed, most notably the underlying<br>
default machine model (and hence the set of devices included in the<br>
snapshot). We also took the opportunity to change some of the<br>
record/replay<br>
log entry types to better match QEMU's new memory API.<br>
<br>
It is frustrating, since we have 91,000 malware recordings now and it<br>
would<br>
be cool to use them in panda2, but for now malware-related work has to use<br>
panda1. I will be switching malrec over to panda2 as soon as I have some<br>
free time, though.<br>
<br>
-Brendan<br>
<br>
On Thu, Aug 31, 2017 at 4:50 AM, <<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>> wrote:<br>
<br>
Hello everyone,<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I am writing a plugin for the new version of panda<br>
(<a href="https://github.com/panda-re/panda" rel="noreferrer" target="_blank">https://github.com/panda-re/p<wbr>anda</a>) and I would like to test it with<br>
several malware records that can be found here:<br>
<a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/</a><br>
<br>
I followed the guidelines explained here:<br>
<a href="https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/" rel="noreferrer" target="_blank">https://irfanulhaq.info/2015/1<wbr>2/09/replay-panda-malware-reco<wbr>rdings/</a><br>
but I'm having troubles in starting the replays.<br>
<br>
When I try to execute one of those records I get the following error<br>
message:<br>
$> ~/panda2/x86_64-softmmu/qemu-s<wbr>ystem-x86_64 -replay<br>
~/replays/malrec/logs/rr/bb67f<wbr>d7e-7baa-437d-9333-9999b15f5fd<wbr>e<br>
> loading snapshot<br>
> qemu-system-x86_64: Unsupported migration stream version<br>
> Failed to load vmstate<br>
> Failed to start replay<br>
<br>
If I understood it properly, the 'problem' of those records is that<br>
they have been recorded starting from one of the snapshots that can be<br>
found here: <a href="http://panda.gtisc.gatech.edu/malrec/rr/references/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/rr/references/</a><br>
<br>
These snapshots were taken using the old version of panda<br>
(<a href="https://github.com/moyix/panda" rel="noreferrer" target="_blank">https://github.com/moyix/pand<wbr>a</a>).<br>
<br>
By analyzing the code of the new panda (include/migration/migration.h<wbr>)<br>
I saw that there's the following line:<br>
#define QEMU_VM_FILE_VERSION 0x00000003<br>
which is different from what was declared in the old panda<br>
(qemu/savevm.c):<br>
#define QEMU_VM_SECTION_FULL 0x04<br>
<br>
That difference is causing the error I am getting and I may infer<br>
there are other differences between the two versions (for what<br>
concerns the procedure of saving a snapshot).<br>
<br>
My question is, since the two versions of panda take snapshots in<br>
different ways (they write different metadata I guess), is there a way<br>
to replay records (from <a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/</a>) with<br>
the new version of panda?<br>
<br>
Or, is it possible to 'patch' the vm snapshots (from<br>
<a href="http://panda.gtisc.gatech.edu/malrec/rr/references/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/rr/references/</a>) to make them work<br>
with the new version of panda?<br>
<br>
Thank you in advance for any suggestions you may have!<br>
samaicardi<br>
<br>
------------------------------<wbr>------------------------------<br>
-------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
<br>
______________________________<wbr>_________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman<wbr>/listinfo/panda-users</a><br>
<br>
<br>
</blockquote>
<br>
<br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br>
<br>
<br>
</blockquote>
<br>
<br>
------------------------------<wbr>------------------------------<br>
-------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
<br>
</blockquote>
<br>
<br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br>
<br>
</blockquote>
<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>-------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>
</div>