<div dir="ltr">Off the top of my head, did you include:<div><br></div><div>assert(init_osi_api());</div><div><br></div><div>immediately after:</div><div>panda_require("osi");</div><div>?</div><div><br></div><div>For example: <span style="color:rgb(36,41,46);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px"><a href="https://github.com/panda-re/panda/blob/060e90693f2ceb30b9c461a5835701e5c463b87a/panda/plugins/asidstory/asidstory.cpp#L359">https://github.com/panda-re/panda/blob/060e90693f2ceb30b9c461a5835701e5c463b87a/panda/plugins/asidstory/asidstory.cpp#L359</a></span></div><div><span style="color:rgb(36,41,46);font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:12px">(The same in PANDA 1.0 and 2.0)</span></div><div><br></div><div>HTH,</div><div>Adam<br><br><div class="gmail_quote"><div dir="ltr">On Tue, 5 Sep 2017 at 10:40 <<a href="mailto:aicardi@eurecom.fr">aicardi@eurecom.fr</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Could you please tell me how to execute those recordings with<br>
qemu-system-x86_64 in 32-bit mode? I've tried to load the 'osi' plugin<br>
on several recordings but every time I got a segmentation fault.<br>
<br>
The way I execute them is:<br>
/home/samaicardi/panda1/qemu/x86_64-softmmu/qemu-system-x86_64 -replay<br>
<replay_name> -panda syscalls2:profile=windows7_x86 -panda<br>
<my_plugin>:<my_plugin_params> -os windows-32-7 -m 1G<br>
<br>
and in my_plugin I call:<br>
panda_require("osi");<br>
<br>
<br>
Thank you in advance,<br>
-samaicardi<br>
<br>
Quoting Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>>:<br>
<br>
> The vast majority of those recordings are from Windows 7 32-bit, so osi<br>
> will work on them. They were recorded on an emulated x86_64 machine running<br>
> in 32-bit mode.<br>
><br>
> On Mon, Sep 4, 2017 at 5:10 AM, <<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>> wrote:<br>
><br>
>> Thank you for the information, it worked.<br>
>><br>
>> Is it possible to use the 'osi' plugin on those recordings? I've seen the<br>
>> introspection implemented only for windows 32 bit.<br>
>><br>
>> -samaicardi<br>
>><br>
>><br>
>> Quoting Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>>:<br>
>><br>
>> The malware recordings use 1GB of RAM, so you need to pass "-m 1G" on the<br>
>>> command line when replaying.<br>
>>><br>
>>> Also you may want to instead use the panda1 repository found here:<br>
>>><br>
>>> <a href="https://github.com/moyix/panda" rel="noreferrer" target="_blank">https://github.com/moyix/panda</a><br>
>>><br>
>>> As I think I've done a couple bugfixes to the old branch since we migrated<br>
>>> the repository to the new version of QEMU.<br>
>>><br>
>>> -Brendan<br>
>>><br>
>>> On Thu, Aug 31, 2017 at 11:56 AM, <<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>> wrote:<br>
>>><br>
>>> Ok I got it, thanks for the explanation.<br>
>>>><br>
>>>> I have another problem actually, I tried to replay several records (from<br>
>>>> <a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/malrec/</a>) with the qemu-system-x86_64<br>
>>>> compiled from the branch called 'panda1' that I found here:<br>
>>>> <a href="https://github.com/panda-re/panda/tree/panda1" rel="noreferrer" target="_blank">https://github.com/panda-re/panda/tree/panda1</a><br>
>>>> I always get the following error:<br>
>>>> $> ~/panda1/qemu/x86_64-softmmu/qemu-system-x86_64 -replay<br>
>>>> logs/rr/7d114620-3e3c-4193-96ce-4689fd9efde3<br>
>>>><br>
>>>> (process:1475): GLib-WARNING **: /build/glib2.0-prJhLS/glib2.0-<br>
>>>> 2.48.2/./glib/gmem.c:483:<br>
>>>> custom memory allocation vtable not supported<br>
>>>> loading snapshot<br>
>>>> Block expected 134217728, found 1073741824, total 1082589184, system<br>
>>>> total<br>
>>>> 143065088<br>
>>>> qemu: warning: error while loading state for instance 0x0 of device 'ram'<br>
>>>> qemu-system-x86_64: Error -22 while loading VM state<br>
>>>> ... done.<br>
>>>> opening nondet log for read : logs/rr/7d114620-3e3c-4193-96<br>
>>>> ce-4689fd9efde3-rr-nondet.log<br>
>>>> Infinite loop detected during replay, aborting.<br>
>>>> {guest_instr_count=0 pc=0x0000fff0, secondary=0x00000000}<br>
>>>> 7d114620-3e3c-4193-96ce-4689fd9efde3: 0 ( 0.00%) instrs.<br>
>>>> 1.00 sec. 0.03 GB ram.<br>
>>>> total_instr in replay: <a href="tel:(541)%20848-6377" value="+15418486377" target="_blank">15418486377</a><br>
>>>> ERROR: replay failed!<br>
>>>> Time taken was: 0 seconds.<br>
>>>> max_queue_len = 1<br>
>>>> 0 items on recycle list, 0 bytes total<br>
>>>> ERROR: replay failed!<br>
>>>> Aborted (core dumped)<br>
>>>><br>
>>>> Do you possibly know why every record seems to generate an infinite loop?<br>
>>>><br>
>>>> Thanks in advance,<br>
>>>> samaicardi<br>
>>>><br>
>>>><br>
>>>><br>
>>>> Quoting Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>>:<br>
>>>><br>
>>>> Unfortunately the new version is unlikely to ever be able to replay old<br>
>>>><br>
>>>>> recordings; too much in QEMU has changed, most notably the underlying<br>
>>>>> default machine model (and hence the set of devices included in the<br>
>>>>> snapshot). We also took the opportunity to change some of the<br>
>>>>> record/replay<br>
>>>>> log entry types to better match QEMU's new memory API.<br>
>>>>><br>
>>>>> It is frustrating, since we have 91,000 malware recordings now and it<br>
>>>>> would<br>
>>>>> be cool to use them in panda2, but for now malware-related work has to<br>
>>>>> use<br>
>>>>> panda1. I will be switching malrec over to panda2 as soon as I have some<br>
>>>>> free time, though.<br>
>>>>><br>
>>>>> -Brendan<br>
>>>>><br>
>>>>> On Thu, Aug 31, 2017 at 4:50 AM, <<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>> wrote:<br>
>>>>><br>
>>>>> Hello everyone,<br>
>>>>><br>
>>>>>><br>
>>>>>> I am writing a plugin for the new version of panda<br>
>>>>>> (<a href="https://github.com/panda-re/panda" rel="noreferrer" target="_blank">https://github.com/panda-re/panda</a>) and I would like to test it with<br>
>>>>>> several malware records that can be found here:<br>
>>>>>> <a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/malrec/</a><br>
>>>>>><br>
>>>>>> I followed the guidelines explained here:<br>
>>>>>> <a href="https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/" rel="noreferrer" target="_blank">https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/</a><br>
>>>>>> but I'm having troubles in starting the replays.<br>
>>>>>><br>
>>>>>> When I try to execute one of those records I get the following error<br>
>>>>>> message:<br>
>>>>>> $> ~/panda2/x86_64-softmmu/qemu-system-x86_64 -replay<br>
>>>>>> ~/replays/malrec/logs/rr/bb67fd7e-7baa-437d-9333-9999b15f5fde<br>
>>>>>> > loading snapshot<br>
>>>>>> > qemu-system-x86_64: Unsupported migration stream version<br>
>>>>>> > Failed to load vmstate<br>
>>>>>> > Failed to start replay<br>
>>>>>><br>
>>>>>> If I understood it properly, the 'problem' of those records is that<br>
>>>>>> they have been recorded starting from one of the snapshots that can be<br>
>>>>>> found here: <a href="http://panda.gtisc.gatech.edu/malrec/rr/references/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/malrec/rr/references/</a><br>
>>>>>><br>
>>>>>> These snapshots were taken using the old version of panda<br>
>>>>>> (<a href="https://github.com/moyix/panda" rel="noreferrer" target="_blank">https://github.com/moyix/panda</a>).<br>
>>>>>><br>
>>>>>> By analyzing the code of the new panda (include/migration/migration.h)<br>
>>>>>> I saw that there's the following line:<br>
>>>>>> #define QEMU_VM_FILE_VERSION 0x00000003<br>
>>>>>> which is different from what was declared in the old panda<br>
>>>>>> (qemu/savevm.c):<br>
>>>>>> #define QEMU_VM_SECTION_FULL 0x04<br>
>>>>>><br>
>>>>>> That difference is causing the error I am getting and I may infer<br>
>>>>>> there are other differences between the two versions (for what<br>
>>>>>> concerns the procedure of saving a snapshot).<br>
>>>>>><br>
>>>>>> My question is, since the two versions of panda take snapshots in<br>
>>>>>> different ways (they write different metadata I guess), is there a way<br>
>>>>>> to replay records (from <a href="http://panda.gtisc.gatech.edu/malrec/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/malrec/</a>) with<br>
>>>>>> the new version of panda?<br>
>>>>>><br>
>>>>>> Or, is it possible to 'patch' the vm snapshots (from<br>
>>>>>> <a href="http://panda.gtisc.gatech.edu/malrec/rr/references/" rel="noreferrer" target="_blank">http://panda.gtisc.gatech.edu/malrec/rr/references/</a>) to make them work<br>
>>>>>> with the new version of panda?<br>
>>>>>><br>
>>>>>> Thank you in advance for any suggestions you may have!<br>
>>>>>> samaicardi<br>
>>>>>><br>
>>>>>> ------------------------------------------------------------<br>
>>>>>> -------------------<br>
>>>>>> This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
>>>>>><br>
>>>>>><br>
>>>>>> _______________________________________________<br>
>>>>>> panda-users mailing list<br>
>>>>>> <a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
>>>>>> <a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>><br>
>>>>> --<br>
>>>>> Brendan Dolan-Gavitt<br>
>>>>> Assistant Professor, Department of Computer Science and Engineering<br>
>>>>> NYU Tandon School of Engineering<br>
>>>>><br>
>>>>><br>
>>>>><br>
>>>><br>
>>>> ------------------------------------------------------------<br>
>>>> -------------------<br>
>>>> This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
>>>><br>
>>>><br>
>>>><br>
>>><br>
>>> --<br>
>>> Brendan Dolan-Gavitt<br>
>>> Assistant Professor, Department of Computer Science and Engineering<br>
>>> NYU Tandon School of Engineering<br>
>>><br>
>>><br>
>><br>
>><br>
>> ------------------------------------------------------------<br>
>> -------------------<br>
>> This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
>><br>
>><br>
><br>
><br>
> --<br>
> Brendan Dolan-Gavitt<br>
> Assistant Professor, Department of Computer Science and Engineering<br>
> NYU Tandon School of Engineering<br>
><br>
<br>
<br>
<br>
-------------------------------------------------------------------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
<br>
_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
</blockquote></div></div></div>