[panda-users] Problem syscall plugin usage

Simone Mazzoni simone.mazzoni13 at gmail.com
Mon Dec 8 09:12:23 EST 2014 

Hello yrp,

I solved my problem by disabling kvm. This allows me to read the content of EAX register in order to read the data every time a system call is invoked.

Now I’m trying to find a way to get information about the arguments of every system call. If I’m not wrong, the address of the first parameter/argument of a system call is pushed in the EDX register. Is this right? There is a way to retrive information about the parameters of each system call invoked by the system?

Tnaks,
Simone
-----------------------------------------------------
Simone Mazzoni
Cell: 340 5210441
E-Mail: simone.mazzoni13 at gmail.com
skype: mazzoni.s

> Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha scritto:
> 
> Hi Simone,
> 
> I believe the syscalls plugin used to create the list of syscalls when it was still coupled with the fdtracker plugin. Currently I think it only provides an API for you to add your own hook before/after syscall execution and in the Linux case, the ability to set a hook on any particular syscall.
> 
> There are two proper ways to accomplish what you're looking for. First, you could write a small plugin that uses the API defined in syscalls_int.h. Alternatively, you could look at the format of the gen_syscalls_* files and port them from linux to windows which should be relatively straight forward as it's all just syscall prototypes. Finally, for a third option you could modify the syscalls plugin around line 330. The last option is probably the least "clean" but fastest.
> 
> Hope this helps,
> yrp
> 
> 
> On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni <simone.mazzoni13 at gmail.com> wrote:
> 
> 
> Hello, 
> 
> I have a problem in using the “syscall” plugin provided in PANDA.
> 
> I succesfully compiled PANDA following the compile.txt instruction.
> 
> I want now to use PANDA to scan all the system calls on a Windows 7 VM.
> 
> I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted -panda syscalls” and the system replies with this message
> 
> adding /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so to panda_plugin_files 0
> loading /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
> warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
> using default log file syscalls.txt
> Success
> QEMU 1.0,1 monitor - type 'help' for more information
> (qemu) SaveVM v3 format forces exact matches between devices on load and save, including on replay.
> 
> So it seems that the plugin is succesfully loaded.
> The message says also that the default log file “syscalls.txt” will be used, so I expect to see some line in this file after running some programs in the Windows 7 VM, but the file remains blank, so it seems that the plugin is not working.
> 
> Where are my errors? How can I effectively trace all the system calls invocations of the guest Windows 7 system?
> 
> Thanks
> 
> Simone
> 
> 
> 
> 
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu <mailto:panda-users at mit.edu>
> http://mailman.mit.edu/mailman/listinfo/panda-users <http://mailman.mit.edu/mailman/listinfo/panda-users>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141208/18e812ac/attachment-0001.htm

More information about the panda-users mailing list