<div dir="ltr">The basic idea is very simple. The -rr-snp files differ from the "reference" snapshots by only a few bytes, so you can just make a diff. I wrote to small programs to diff and patch the snapshots, bdiff and bpatch.py:<div><br></div><div><a href="http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/">http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/</a></div><div><br></div><div>There is also a script there that will create the diff and pack up a recording automatically given a snapshot and a list of possible reference snapshots:</div><div><br></div><div><a href="http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/pack_opt.sh">http://giantpanda.gtisc.gatech.edu/malrec/rr/tools/pack_opt.sh</a></div><div><br></div><div>Hope this helps!</div><div><br></div><div>Best,</div><div>Brendan<br><div><br></div><div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 6, 2017 at 5:12 AM, <span dir="ltr"><<a href="mailto:aicardi@eurecom.fr" target="_blank">aicardi@eurecom.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Hello Brendan,<br>
<br>
I am writing a script to apply my panda plugin on a large number of<br>
recordings.<br>
To do so I need to take a lot of recordings starting from the same<br>
qemu snapshot.<br>
My problem is that I don't have enough space to save all the *-rr-snp<br>
files on disk. I saw on this article<br>
(<a href="https://irfanulhaq.info/2015/12/09/replay-panda-malware-recordings/" rel="noreferrer" target="_blank">https://irfanulhaq.info/2015/<wbr>12/09/replay-panda-malware-rec<wbr>ordings/</a>)<br>
that it's possible to save just a "patch" file containing only the<br>
differences from the original snapshot and then generate the actual<br>
*-rr-snp file only when it's needed.<br>
<br>
How can I produce such "patch" file?<br>
<br>
Thank you in advance,<br>
<br>
Samuele<br>
<br>
------------------------------<wbr>------------------------------<wbr>-------------------<br>
This message was sent using EURECOM Webmail: <a href="http://webmail.eurecom.fr" rel="noreferrer" target="_blank">http://webmail.eurecom.fr</a><br>
<br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>
</div>