<div dir="ltr">I should add that it *is* possible to extract the snapshot from a QCOW if that's what you really want. Just start up QEMU with:<div><br></div><div>-loadvm snap -S</div><div><br></div><div>Then at the monitor, do:</div><div><br></div><div>migrate "exec:cat > reference-rr-snp"</div><div><br></div><div>Best,</div><div>Brendan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 6, 2017 at 9:18 AM, Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Since they're all very similar to one another, you can just pick any -rr-snp to use as the reference snapshot. The pack_opt.sh script will detect if there's no sufficiently-similar reference snapshot and copy the current snapshot into the references directory.<span class="HOEnZb"><font color="#888888"><div><br></div><div>-Brendan</div></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 6, 2017 at 9:16 AM, <span dir="ltr"><<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_-7832961861547014262HOEnZb"><div class="m_-7832961861547014262h5">Thank you very much, I will try them soon!<br>
Just another question: how can I create the "reference" snapshot?<br>
Normally I start recording from a qcow2 image snaphsot that I've<br>
previously created with qemu monitor's "savevm <snap_name>" command,<br>
do I need to extract the reference snapshot from the qcow2 image?<br>
<br>
Regards,<br>
Samuele<br>
<br>
Quoting Brendan Dolan-Gavitt <<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>>:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The basic idea is very simple. The -rr-snp files differ from the<br>
"reference" snapshots by only a few bytes, so you can just make a diff. I<br>
wrote to small programs to diff and patch the snapshots, bdiff and<br>
bpatch.py:<br>
<br>
<a href="http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/" rel="noreferrer" target="_blank">http://giantpanda.gtisc.gatech<wbr>.edu/malrec/rr/tools/</a><br>
<br>
There is also a script there that will create the diff and pack up a<br>
recording automatically given a snapshot and a list of possible reference<br>
snapshots:<br>
<br>
<a href="http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/pack_opt.sh" rel="noreferrer" target="_blank">http://giantpanda.gtisc.gatech<wbr>.edu/malrec/rr/tools/pack_opt.<wbr>sh</a><br>
<br>
Hope this helps!<br>
<br>
Best,<br>
Brendan<br>
<br>
<br>
<br>
On Mon, Nov 6, 2017 at 5:12 AM, <<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello Brendan,<br>
<br>
I am writing a script to apply my panda plugin on a large number of<br>
recordings.<br>
To do so I need to take a lot of recordings starting from the same<br>
qemu snapshot.<br>
My problem is that I don't have enough space to save all the *-rr-snp<br>
files on disk. I saw on this article<br>
(<a href="https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/" rel="noreferrer" target="_blank">https://irfanulhaq.info/2015/<wbr>12/09/replay-panda-malware-rec<wbr>ordings/</a>)<br>
that it's possible to save just a "patch" file containing only the<br>
differences from the original snapshot and then generate the actual<br>
*-rr-snp file only when it's needed.<br>
<br>
How can I produce such "patch" file?<br>
<br>
Thank you in advance,<br>
<br>
Samuele<br>
<br>
------------------------------<wbr>------------------------------<br>
-------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
<br>
</blockquote>
<br>
<br>
--<br>
Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering<br>
<br>
</blockquote>
<br>
------------------------------<wbr>------------------------------<wbr>-------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-7832961861547014262gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>
</div>