<div dir="ltr"><div><div><div>Update: I got the plugins to run on x86_64, simply by disabling kvm (remove the -enable-kvm) flag.<br></div>There wasn't anything in <a href="http://manual.md">manual.md</a> saying to disable KVM, but in hindsight this was an obvious error. Thanks all for the help!<br><br></div>Cheers,<br></div>Vincent <br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 26, 2018 at 3:59 PM, Brendan Dolan-Gavitt <span dir="ltr"><<a href="mailto:brendandg@nyu.edu" target="_blank">brendandg@nyu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div dir="auto">Two quick things:</div><div dir="auto"><br></div><div dir="auto">- The recordings on panda.gtisc are for PANDA 1.0 and won’t work with 2.0</div><div dir="auto">- Memory callbacks should work on both live execution and replay. If they don’t there is likely a bug. I will try to find some time to investigate in the next couple days. </div><div><div class="h5"><br><div class="gmail_quote"><div>On Mon, Feb 26, 2018 at 4:33 PM Bridgey theGeek <<a href="mailto:bridgeythegeek@gmail.com" target="_blank">bridgeythegeek@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>Running about right now, but see if you can get the replay to run through without applying any plugins.</span><div><br></div><div>Based on the command line from your gist, try:</div><div>qemu-system-i386 -m 2G -replay TEST</div><div><br></div><div>You shouldn't need any of the other parameters.</div><div><br></div><div>It should count through the replay up to 100%.</div><div><br></div><div>Adam</div><div><br><br><div class="gmail_quote"><div>On Mon, 26 Feb 2018, 21:23 Vincent Lee, <<a href="mailto:vincent_lee@utexas.edu" target="_blank">vincent_lee@utexas.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div>Hi,<br><br></div>Ah, I was not running on a recording, but was running the system live with -panda. If I try to make a recording and play it back with -replay and -panda, I get the following assertion failure when the replay loads: <a href="https://gist.github.com/williewillus/951c17eeac1da94efe48bdaacc7d009f" target="_blank">https://gist.github.com/<wbr>williewillus/<wbr>951c17eeac1da94efe48bdaacc7d00<wbr>9f</a><br>How would I use the logs listed on that website? They don't seem to come with a snapshot to use.<br></div><div><br></div><div>Thanks!<br></div></div><div><div>Vincent<br><br></div></div><div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 26, 2018 at 3:08 PM, Bridgey theGeek <span><<a href="mailto:bridgeythegeek@gmail.com" target="_blank">bridgeythegeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div><div><div>Hey Vincent,<br><br></div>Hmm, that is odd. Like you say, seeing the load/unload messages suggests all is fine.<br><br></div><div>My gut feeling is that maybe your recording is corrupt? Maybe grab one of the replay's Moyix makes available and test with that?<br><a href="http://panda.gtisc.gatech.edu/malrec/" target="_blank">http://panda.gtisc.gatech.edu/<wbr>malrec/</a><br></div><div><br></div>Let us know how you get on,<br></div></div>Adam<br></div><div class="m_3408300376966423088m_-172546114623236883m_6432797513023655470HOEnZb"><div class="m_3408300376966423088m_-172546114623236883m_6432797513023655470h5"><br><div class="gmail_quote"><div>On Mon, 26 Feb 2018 at 20:32 Vincent Lee <<a href="mailto:vincent_lee@utexas.edu" target="_blank">vincent_lee@utexas.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div><div>Hi,<br><br></div>I just tried running the plugin on a live CD boot up of Arch Linux 32 with qemu-system-i386, with my plugin tracking writes in all of physical memory (start=0,end=-1). However, there still are not any writes being recorded. The plugin prints its messages when loading and unloading, but sees 0 reads and writes.<br><br></div>Perhaps I am building or invoking the plugin incorrectly? Though, since my load and unload messages appear, I don't know where my mistake might be.<br><br></div><div>Thanks,<br></div><div>Vincent<br></div></div><div><div><br><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 24, 2018 at 6:17 AM, Bridgey theGeek <span><<a href="mailto:bridgeythegeek@gmail.com" target="_blank">bridgeythegeek@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div><div>Hi Vincent,<br><br></div>Out of interest, did you try your code with an i386 environment? Did that work?<br><br></div>I don't have an x86_64 guest to hand, but your plugin code, copied straight from your gist worked as I'd expect it to for i386:<br>testplugin loading<br>tracking range [40000000, 80000000)<br>loading snapshot<br>... done.<br>opening nondet log for read : /slw/notepad01-rr-nondet.log<br>got a write at 2968c8c<br>got a write at 2968c88<br>got a write at 2968c84<br>got a write at 2968c80<br>got a write at 2968c7c<br>got a write at 2968c6c<br>got a write at 2968c68<br>got a write at 2968c64<br>got a read at 2968c98<br>got a read at 2968c94<br>got a read at 296bc00<br><br></div>Adam<br></div><br><div class="gmail_quote"><div><div class="m_3408300376966423088m_-172546114623236883m_6432797513023655470m_8817529093751953602m_5739244678033057483h5"><div>On Fri, 23 Feb 2018 at 22:43 Vincent Lee <<a href="mailto:vincent_lee@utexas.edu" target="_blank">vincent_lee@utexas.edu</a>> wrote:<br></div></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="m_3408300376966423088m_-172546114623236883m_6432797513023655470m_8817529093751953602m_5739244678033057483h5"><div><div><div><div><div><div>Hello,<br><br></div>I am trying to setup PANDA for monitoring the physical memory accesses of a x86_64 guest.<br>I've
written a toy test plugin [0], and have also tried running the
stringsearch plugin looking for the hostname of the machine, as well as
generic phrases likely to show up in logs, such as "Arch Linux" or
"memory".<br><br>However, no results are returned from stringsearch, and
my test plugin records no accesses on any part of memory. PANDA is
built from 8730ffb on Ubuntu 16.04 with the install_ubuntu script.<br></div><div><br></div>Have I set up my environment incorrectly, or are memory callbacks not supported on x86_64?<br></div>If they are not supported, is there a similar tool I can use to trace guest physical memory accesses on x86_64?<br><br></div>Thanks in advance,<br></div>Vincent<br><div><div><div><div><br><br>[0] <a href="https://gist.github.com/williewillus/f0c96d8652e0f8b538da0c162c82069c" target="_blank">https://gist.github.com/<wbr>williewillus/<wbr>f0c96d8652e0f8b538da0c162c8206<wbr>9c</a></div></div></div></div><br></div></div></div>
______________________________<wbr>_________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/panda-users</a><br>
</blockquote></div>
</blockquote></div><br></div></div></blockquote></div>
</div></div></blockquote></div><br></div></div></blockquote></div></div>
______________________________<wbr>_________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/<wbr>mailman/listinfo/panda-users</a><br>
</blockquote></div></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div dir="ltr" class="m_3408300376966423088gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>
</font></span></blockquote></div><br></div>