[panda-users] Gathering of specific data...

Kenneth Adam Miller kennethadammiller at gmail.com
Sun Dec 7 19:17:25 EST 2014 

Ok, cool. Then the data structure for shadow memory is still applicable.

On Sun, Dec 7, 2014 at 7:15 PM, Brendan Dolan-Gavitt <brendandg at gatech.edu>
wrote:

> Yes – the QEMU process itself can run multiple threads just fine. It's
> just the guest execution that's serialized.
>
> -Brendan
>
> On Sun, Dec 7, 2014 at 7:11 PM, Kenneth Adam Miller
> <kennethadammiller at gmail.com> wrote:
> > Excellent!
> >
> > That's most of what I need anyway, the function & image name isn't
> > absolutely necessary for my analysis framework, just some verbosity to
> help
> > in searches...
> >
> > But now that you say that QEMU doesn't support true multi-threading, I
> > wonder about the data structure design write up that I'm doing-much of
> the
> > idea for acceleration comes in the ability to have a multi-multi
> threading
> > model between the background analysis threads that remove latency and the
> > foreground that is adding data to be processed into the taint data
> > structure; my question is now-while the QEMU framework doesn't support
> full
> > multi-threading, can analysis threads specifically be truly parallel,
> > provided they aren't part of the actual target VM?
> >
> > On Sun, Dec 7, 2014 at 7:06 PM, Brendan Dolan-Gavitt <
> brendandg at gatech.edu>
> > wrote:
> >>
> >> On Sun, Dec 7, 2014 at 6:48 PM, Kenneth Adam Miller
> >> <kennethadammiller at gmail.com> wrote:
> >> > Does PANDA allow users to gather information similar to PIN? Such as
> the
> >> > following information:
> >> >
> >> > Image name
> >>
> >> For Windows 7, you can get this with the new OSI API. I will try to
> >> take some time to document it this week.
> >>
> >> > Function name
> >>
> >> This requires access to debug symbols and isn't natively supported in
> >> PANDA. You can pretty easily cobble something together using e.g.
> >> pdbparse for Windows binaries or objdump/readelf/dwarfdump for Linux
> >> binaries to create a symbol map and then use that in your
> >>
> >> > Address of execution
> >>
> >> Yes; by default you can get the current program counter with the
> >> accuracy of one QEMU basic block. If you need greater precision, you
> >> can call panda_enable_precise_pc(), at which point the program counter
> >> will be accurate to the instruction.
> >>
> >> > Address of memory write
> >> > Address of memory read
> >>
> >> Yes, these are available in the PANDA_CB_VIRT_MEM_READ/WRITE callbacks
> >> (and their PHYS counterparts, if you want physical addresses).
> >>
> >> > ect...
> >>
> >> > And is there any way to determine a full ordering via lamport clock of
> >> > all
> >> > memory operations, via plugin or framework feature? Suppose threads 1
> &
> >> > 2
> >> > race for memory at 0xdeadbeef; I want to know, accurately as possible
> >> > which
> >> > order the instructions of thread 1 & 2 run with.
> >>
> >> QEMU (at least as of 1.0.1, things may have changed since) doesn't
> >> support true multithreading – execution of each virtual CPU is
> >> serialized via a global lock. Our record/replay implementation also
> >> currently doesn't support SMP; only one virtual processor is
> >> supported.
> >>
> >> So when the memory callback executes, only one will be executing at
> >> once, meaning determining the exact order is trivial.
> >>
> >> Hope this helps,
> >> Brendan
> >
> >
> >
> > _______________________________________________
> > panda-users mailing list
> > panda-users at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/panda-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141207/b15e6d70/attachment.htm

More information about the panda-users mailing list