<div dir="ltr">There's no direct way to do this in PANDA. At the hardware level, there is information in the page tables about whether a given page is executable (at least on x86 – this is the NX bit). So you could walk the page tables and check whether the current page is marked non-executable. There's code in target/i386/monitor.c that shows how to walk page tables on x86 and retrieve the various protection bits.<div><br></div><div>You could also look at the OS's data structures. On Windows the data structure to look at is the Virtual Address Descriptor (VAD) tree , which tracks the memory regions and protections for each process. I don't know the Linux equivalent off this off the top of my head, but it should have something similar. Doing this would require additions to the OS introspection plugins (win7x86intro and wintrospection for Windows, osi_linux for Linux).</div><div><br></div><div>Best,</div><div>Brendan</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 27, 2017 at 9:40 AM, luca valerio <span dir="ltr"><<a href="mailto:therealpighack@hotmail.com" target="_blank">therealpighack@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div id="m_-5378301059629812465divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0;margin-bottom:0">Hi all,</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">I'm beginner with PANDA. I'm writing a plugin to make detection of memory write. In particular I need to detect when a part of memory, which can be executed, is written.
<br>
</p>
<p style="margin-top:0;margin-bottom:0">I suppose that I must use the callback "<code>PANDA_CB_VIRT_MEM_AFTER_WRITE</code><wbr>" but this doesn't say anything w.r.t. the possibility to execute the memory area that has been written.
<br>
</p>
<p style="margin-top:0;margin-bottom:0">Is there a way to do this (i.e. detect memory write on executable memory)? Maybe I should use another callback?</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0">Thanks,</p>
<p style="margin-top:0;margin-bottom:0">Luca<br>
</p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<div id="m_-5378301059629812465Signature">
<div id="m_-5378301059629812465divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);background-color:rgb(255,255,255);font-family:Calibri,Arial,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
Sent from <a href="http://aka.ms/weboutlook" id="m_-5378301059629812465LPNoLP" target="_blank">Outlook</a></div>
</div>
</div>
</div>
<br>______________________________<wbr>_________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/panda-users</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>
</div>