<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0"><span style="font-size:12pt;" id="divtagdefaultwrapper"></p>
<div style="margin-top:0;margin-bottom:0;">Sorry for previous mail, I didn't finished writing.<br>
</div>
<div style="margin-top:0;margin-bottom:0;"><br>
</div>
<div style="margin-top:0;margin-bottom:0;">Ok, suppose that I want to access to the Virtual Address Descriptor. How can I do this from a Panda plugin?</div>
<div style="margin-top:0;margin-bottom:0;"><br>
</div>
<div style="margin-top:0;margin-bottom:0;">In particular I was looking to the "osi" module. It allows to access to the executed process and I saw that it defines a struct :</div>
<div style="margin-top:0;margin-bottom:0;"><br>
</div>
<div style="margin-top:0;margin-bottom:0;">
<div>typedef struct osi_proc_struct {<br>
target_ulong offset;<br>
char *name;<br>
target_ulong asid;<br>
OsiPage *pages;<br>
target_ulong pid;<br>
target_ulong ppid;<br>
} OsiProc;</div>
</div>
<div style="margin-top:0;margin-bottom:0;"><br>
</div>
<div style="margin-top:0;margin-bottom:0;">What I want to do is to get access to the pages (through the OsiPage * pages attribute) of each process and get information about them (i.e. if they are executable). There is a structure that allow me to access the
Virtual Address Descriptor?<br>
</div>
</span><br>
<p></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<div id="Signature">
<div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: Calibri,Arial,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols;">
Sent from <a href="http://aka.ms/weboutlook" id="LPNoLP">Outlook</a></div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> luca valerio<br>
<b>Sent:</b> Thursday, November 30, 2017 1:43:07 PM<br>
<b>To:</b> Brendan Dolan-Gavitt<br>
<b>Cc:</b> panda-users@mit.edu<br>
<b>Subject:</b> Re: [panda-users] memory detection</font>
<div> </div>
</div>
<style type="text/css" style="display:none">
<!--
p
{margin-top:0;
margin-bottom:0}
-->
</style>
<div dir="ltr">
<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">
<p style="margin-top:0; margin-bottom:0">Ok, suppose that I want to access to the Virtual Address Descriptor. How can I do this from a Panda plugin?</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">In particular I was looking to the "osi"<br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<div id="x_Signature">
<div id="x_divtagdefaultwrapper" style="font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
Sent from <a href="http://aka.ms/weboutlook" id="LPNoLP">Outlook</a></div>
</div>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Brendan Dolan-Gavitt <brendandg@nyu.edu><br>
<b>Sent:</b> Monday, November 27, 2017 5:22:32 PM<br>
<b>To:</b> luca valerio<br>
<b>Cc:</b> panda-users@mit.edu<br>
<b>Subject:</b> Re: [panda-users] memory detection</font>
<div> </div>
</div>
<div>
<div dir="ltr">There's no direct way to do this in PANDA. At the hardware level, there is information in the page tables about whether a given page is executable (at least on x86 – this is the NX bit). So you could walk the page tables and check whether the
current page is marked non-executable. There's code in target/i386/monitor.c that shows how to walk page tables on x86 and retrieve the various protection bits.
<div><br>
</div>
<div>You could also look at the OS's data structures. On Windows the data structure to look at is the Virtual Address Descriptor (VAD) tree , which tracks the memory regions and protections for each process. I don't know the Linux equivalent off this off the
top of my head, but it should have something similar. Doing this would require additions to the OS introspection plugins (win7x86intro and wintrospection for Windows, osi_linux for Linux).</div>
<div><br>
</div>
<div>Best,</div>
<div>Brendan</div>
</div>
<div class="x_x_gmail_extra"><br>
<div class="x_x_gmail_quote">On Mon, Nov 27, 2017 at 9:40 AM, luca valerio <span dir="ltr">
<<a href="mailto:therealpighack@hotmail.com" target="_blank">therealpighack@hotmail.com</a>></span> wrote:<br>
<blockquote class="x_x_gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div id="x_x_m_-5378301059629812465divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif">
<p style="margin-top:0; margin-bottom:0">Hi all,</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">I'm beginner with PANDA. I'm writing a plugin to make detection of memory write. In particular I need to detect when a part of memory, which can be executed, is written.
<br>
</p>
<p style="margin-top:0; margin-bottom:0">I suppose that I must use the callback "<code>PANDA_CB_VIRT_MEM_AFTER_WRITE</code><wbr>" but this doesn't say anything w.r.t. the possibility to execute the memory area that has been written.
<br>
</p>
<p style="margin-top:0; margin-bottom:0">Is there a way to do this (i.e. detect memory write on executable memory)? Maybe I should use another callback?</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<p style="margin-top:0; margin-bottom:0">Thanks,</p>
<p style="margin-top:0; margin-bottom:0">Luca<br>
</p>
<p style="margin-top:0; margin-bottom:0"><br>
</p>
<div id="x_x_m_-5378301059629812465Signature">
<div id="x_x_m_-5378301059629812465divtagdefaultwrapper" style="font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">
Sent from <a href="http://aka.ms/weboutlook" id="x_x_m_-5378301059629812465LPNoLP" target="_blank">
Outlook</a></div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/panda-users</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="x_x_gmail_signature">Brendan Dolan-Gavitt<br>
Assistant Professor, Department of Computer Science and Engineering<br>
NYU Tandon School of Engineering</div>
</div>
</div>
</div>
</body>
</html>