[panda-users] Problem syscall plugin usage
- yrp
yrp604 at yahoo.com
Mon Dec 8 14:14:55 EST 2014
Yes, 'env->regs[R_EDX]' should give you what you want. This of course presumes the CPUState ptr is named env...
For an example, see here:https://github.com/moyix/panda/blob/master/qemu/panda_plugins/syscalls/syscalls.cpp#L332
On Monday, December 8, 2014 6:12 AM, Simone Mazzoni <simone.mazzoni13 at gmail.com> wrote:
Hello yrp,
I solved my problem by disabling kvm. This allows me to read the content of EAX register in order to read the data every time a system call is invoked.
Now I’m trying to find a way to get information about the arguments of every system call. If I’m not wrong, the address of the first parameter/argument of a system call is pushed in the EDX register. Is this right? There is a way to retrive information about the parameters of each system call invoked by the system?
Tnaks,Simone-----------------------------------------------------Simone Mazzoni
Cell: 340 5210441
E-Mail: simone.mazzoni13 at gmail.com
skype: mazzoni.s
Il giorno 03/dic/2014, alle ore 21:28, - yrp <yrp604 at yahoo.com> ha scritto:
Hi Simone,
I believe the syscalls plugin used to create the list of syscalls when it was still coupled with the fdtracker plugin. Currently I think it only provides an API for you to add your own hook before/after syscall execution and in the Linux case, the ability to set a hook on any particular syscall.
There are two proper ways to accomplish what you're looking for. First, you could write a small plugin that uses the API defined in syscalls_int.h. Alternatively, you could look at the format of the gen_syscalls_* files and port them from linux to windows which should be relatively straight forward as it's all just syscall prototypes. Finally, for a third option you could modify the syscalls plugin around line 330. The last option is probably the least "clean" but fastest.
Hope this helps,
yrp
On Wednesday, December 3, 2014 9:50 AM, Simone Mazzoni <simone.mazzoni13 at gmail.com> wrote:
Hello,
I have a problem in using the “syscall” plugin provided in PANDA.
I succesfully compiled PANDA following the compile.txt instruction.
I want now to use PANDA to scan all the system calls on a Windows 7 VM.
I run the Windows 7 VM with this command: “./qemu-system-x86_64 -hda ../../../qemuwin7.img -enable-kvm -m 1024 -monitor stdio -loadvm booted -panda syscalls” and the system replies with this message
adding /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so to panda_plugin_files 0
loading /home/parallels/Desktop/Tesi/panda-master/qemu/x86_64-softmmu/panda_plugins/panda_syscalls.so
warning: Plugin 'syscalls' uses argument: -panda-arg syscalls:file=<file>
using default log file syscalls.txt
Success
QEMU 1.0,1 monitor - type 'help' for more information
(qemu) SaveVM v3 format forces exact matches between devices on load and save, including on replay.
So it seems that the plugin is succesfully loaded.
The message says also that the default log file “syscalls.txt” will be used, so I expect to see some line in this file after running some programs in the Windows 7 VM, but the file remains blank, so it seems that the plugin is not working.
Where are my errors? How can I effectively trace all the system calls invocations of the guest Windows 7 system?
Thanks
Simone
_______________________________________________
panda-users mailing list
panda-users at mit.edu
http://mailman.mit.edu/mailman/listinfo/panda-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20141208/26ef0aba/attachment.htm
More information about the panda-users
mailing list