[panda-users] Gathering of specific data...

[Brendan Dolan-Gavitt]

On Sun, Dec 7, 2014 at 6:48 PM, Kenneth Adam Miller
<kennethadammiller at gmail.com> wrote:
> Does PANDA allow users to gather information similar to PIN? Such as the
> following information:
>
> Image name

For Windows 7, you can get this with the new OSI API. I will try to
take some time to document it this week.

> Function name

This requires access to debug symbols and isn't natively supported in
PANDA. You can pretty easily cobble something together using e.g.
pdbparse for Windows binaries or objdump/readelf/dwarfdump for Linux
binaries to create a symbol map and then use that in your

> Address of execution

Yes; by default you can get the current program counter with the
accuracy of one QEMU basic block. If you need greater precision, you
can call panda_enable_precise_pc(), at which point the program counter
will be accurate to the instruction.

> Address of memory write
> Address of memory read

Yes, these are available in the PANDA_CB_VIRT_MEM_READ/WRITE callbacks
(and their PHYS counterparts, if you want physical addresses).

> ect...

> And is there any way to determine a full ordering via lamport clock of all
> memory operations, via plugin or framework feature? Suppose threads 1 & 2
> race for memory at 0xdeadbeef; I want to know, accurately as possible which
> order the instructions of thread 1 & 2 run with.

QEMU (at least as of 1.0.1, things may have changed since) doesn't
support true multithreading – execution of each virtual CPU is
serialized via a global lock. Our record/replay implementation also
currently doesn't support SMP; only one virtual processor is
supported.

So when the memory callback executes, only one will be executing at
once, meaning determining the exact order is trivial.

Hope this helps,
Brendan