[panda-users] Gathering of specific data...

Brendan Dolan-Gavitt brendandg at gatech.edu
Sun Dec 7 19:15:08 EST 2014 

Yes – the QEMU process itself can run multiple threads just fine. It's
just the guest execution that's serialized.

-Brendan

On Sun, Dec 7, 2014 at 7:11 PM, Kenneth Adam Miller
<kennethadammiller at gmail.com> wrote:
> Excellent!
>
> That's most of what I need anyway, the function & image name isn't
> absolutely necessary for my analysis framework, just some verbosity to help
> in searches...
>
> But now that you say that QEMU doesn't support true multi-threading, I
> wonder about the data structure design write up that I'm doing-much of the
> idea for acceleration comes in the ability to have a multi-multi threading
> model between the background analysis threads that remove latency and the
> foreground that is adding data to be processed into the taint data
> structure; my question is now-while the QEMU framework doesn't support full
> multi-threading, can analysis threads specifically be truly parallel,
> provided they aren't part of the actual target VM?
>
> On Sun, Dec 7, 2014 at 7:06 PM, Brendan Dolan-Gavitt <brendandg at gatech.edu>
> wrote:
>>
>> On Sun, Dec 7, 2014 at 6:48 PM, Kenneth Adam Miller
>> <kennethadammiller at gmail.com> wrote:
>> > Does PANDA allow users to gather information similar to PIN? Such as the
>> > following information:
>> >
>> > Image name
>>
>> For Windows 7, you can get this with the new OSI API. I will try to
>> take some time to document it this week.
>>
>> > Function name
>>
>> This requires access to debug symbols and isn't natively supported in
>> PANDA. You can pretty easily cobble something together using e.g.
>> pdbparse for Windows binaries or objdump/readelf/dwarfdump for Linux
>> binaries to create a symbol map and then use that in your
>>
>> > Address of execution
>>
>> Yes; by default you can get the current program counter with the
>> accuracy of one QEMU basic block. If you need greater precision, you
>> can call panda_enable_precise_pc(), at which point the program counter
>> will be accurate to the instruction.
>>
>> > Address of memory write
>> > Address of memory read
>>
>> Yes, these are available in the PANDA_CB_VIRT_MEM_READ/WRITE callbacks
>> (and their PHYS counterparts, if you want physical addresses).
>>
>> > ect...
>>
>> > And is there any way to determine a full ordering via lamport clock of
>> > all
>> > memory operations, via plugin or framework feature? Suppose threads 1 &
>> > 2
>> > race for memory at 0xdeadbeef; I want to know, accurately as possible
>> > which
>> > order the instructions of thread 1 & 2 run with.
>>
>> QEMU (at least as of 1.0.1, things may have changed since) doesn't
>> support true multithreading – execution of each virtual CPU is
>> serialized via a global lock. Our record/replay implementation also
>> currently doesn't support SMP; only one virtual processor is
>> supported.
>>
>> So when the memory callback executes, only one will be executing at
>> once, meaning determining the exact order is trivial.
>>
>> Hope this helps,
>> Brendan
>
>
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>

More information about the panda-users mailing list